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Automates d’arbres bidirectionnels modulo theories equationnelles 


Resume 

Les automates d’arbres bidirectionnels etendent les automates classiques, en ce sens que les tran¬ 
sitions peuvent non seulement construire mais aussi detruire des termes. Recenmient des variantes 
equationnelles des automates d’arbres ont ete proposes qui acceptent des termes modulo une theorie 
equationnelle. Dans cette these on etudie des automates d’arbres bidirectionnels modulo des theories 
equationnelles. On etudie les theories AC (associativite, commutativite de +), ACU (avec unite 0), 
ACUI (avec idempotence x + x = x), ACUX (avec annulation x + x = 0) et ACUM (groupes abe- 
liens). Ces automates sont importants pour la verification des protocoles cryptographiques qui utilisent 
des primitives cryptographiques non parfaites. 

On etudie la decidabilite et la cloture par operations booleennes de ces automates. On commence 
par des resultats negatifs : le vide est indecidable pour les automates bidirectionnels, ou unidirection- 
nels alternants, modulo les theories AC, ACU, ACUM. 

On montre que les automates unidirectionnels modulo toutes ces theories sont clos par intersec¬ 
tion, et que le vide est decidable. La cloture par union est triviale. A l’oppose, alors que les automates 
unidirectionnels modulo AC, ACU sont clos par complementation, ceux modulo ACUX, ACUM et 
ACUI ne le sont pas. Les proprietes de cloture et de decidabilite s’etendent au cas bidirectionnel, pour 
chaque theorie sauf ACUI, si on restreint le format des clauses push. On montre cela en reduisant les 
automates bidirectionnels aux automates unidirectionnels. (Le cas ACUI est ouvert.) Pour traiter cer- 
taines clauses ayant le symbole + dans le corps, on developpe une extension des systemes d'addition 
de vecteurs avec etats (VASS), appeles VASS etendus. On montre que la construction des arbrcs de 
Karp et Miller pour VASS peut etre etendue pour les VASS etendus. 

Ces resultats different nettement du cas des automates non equationnels qui ont toutes les proprie¬ 
tes de cloture et de decidabilite. 
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Two-Way Equational Tree Automata 


Abstract 

Two-way tree automata extend classical tree automata by allowing transitions that can destruct 
terms besides constructing them. Recently equational valiants of tree automata have been proposed 
which accept terms modulo an equational theory. In this thesis we study two-way equational tree auto¬ 
mata. We study the theories AC (associativity, commutativity of +), ACU (with unit 0), ACUI (with 
idempotence x + x = x), ACUX (with cancellation x + x = 0) and ACUM (Abelian groups). These 
automata arc useful in verification of cryptographic protocols which use non-perfect cryptographic 
primitives. 

We study the properties of decidability and closure under Boolean operations of these automata. 
We start with negative results : emptiness is undecidable for alternating one-way automata, as well as 
for general two-way automata modulo the theories AC, ACU, ACUM. 

We show that the one-way automata modulo all these theories arc closed under intersection, and 
emptiness is decidable. Closure under union is trivial. On the other hand, while the one-way automata 
modulo AC, ACU arc closed under complementation, those modulo ACUX, ACUM and ACUI arc 
not. These closure and decidability properties extend to the two-way case, for each theory except 
ACUI, if we restrict the format of push clauses. We show this by reducing the two-way automata to 
one-way automata. (The ACUI case is open.) In order to deal with certain push clauses which have 
the + symbol in the body, we develop an extension of Vector Addition Systems with States (VASS), 
called Extended VASS, in which transitions can add configurations. We show that the construction of 
Karp and Miller trees for VASS can be extended for Extended VASS. 

Our results on one-way and two-way equational tree automata arc strikingly different from the 
case of non-equational automata which have all the good closure and decidability properties. 
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Chapitre 1 

Introduction 


Les automates d’arbres [CDG + 97, GS97] sont un outil important en informatique. Diverses ex¬ 
tensions des automates d’arbres ont ete proposees en vue d’accroitre leur expressivite. Une qui a ete 
consideree tres tot est celle des automates d’arbres bidirectionnels, ou les transitions peuvent non 
seulement construire des termes, mais aussi les detruire. Une autre consiste en les automates d’arbres 
alternants [Slu85], oil Ton peut accepter non seulement des unions mais aussi des intersections d’en- 
sembles de termes acceptes en certains etats. Recemment on a vu des propositions de variantes equa- 
tionnelles des automates d’arbres [OhsOl, Lug03], qui fonctionnent sur des termes modulo une theorie 
equationnelle. Dans cette these, nous etudions des combinaisons de ces aspects, c’est-a-dire des auto¬ 
mates equationnels, bidirectionnels, et alternants. Ceci est motive par des applications en verification 
de protocoles cryptographiques. 

Nous discutons brievement dans ce chapitre des protocoles cryptographiques, d'automates d’arbres 
et extensions, puis nous exposons les contributions et le plan de cette these. 


Contributions Dans cette these nous definissons et etudions la notion d’automates d’arbres equa¬ 
tionnels unidirectionnels et bidirectionnels. Nous adoptons une approche de description des automates 
unidirectionnels et bidirectionnels en logique du premier ordre, et nous les etendons au cas des theories 
equationnelles. Nous nous concentrons sur les theories equationnelles d’associativite-conmiutativite 
et ses extensions. Plus precisement, nous traitons des theories AC (associativite et commutativite de 
+), ACU (AC avec unite 0), ACUX (ACU plus l’axiome x + x = 0, soit la theorie du ou exclusif), 
ACUX n (ACU plus l’axiome x + . ^. + .t = 0, une generalisation du ou exclusif), ACUM (ACU 

n times 

plus l’axiome x + (—x) = 0, c’est-a-dire la theorie des groupes abeliens), ACUD (ACU plus les 
axiomes — (x + y) = (—x) + (— y), — (— x) = x et —0 = 0) et ACUI (ACU plus l’axiome x + x = x, 
c’est-a-dire la theorie de l'idempotence). La theorie ACUD est celle d’un symbole — “distributif”. 
Elle est impliquee par la theorie ACUM, et est en fait strictement plus faible qu’ACUM. 

Pour illustrer 1’utilisation de ces automates equationnels bidirectionnels, nous montrons que nos 
automates d’arbres modulo la theorie ACU et la theorie des groupes abeliens (ACUM) peuvent etre 
mises a profit pour modeliser des protocoles fondes sur 1’exponentiation modulaire, notamment le 
protocole de Diffie-Hellman en groupe, utilise par un groupe de participants pour se mettre d’accord 
sur une cle. On rappelle que nous traitons aussi de la theorie du ou exclusif qui est utilise frequemment 
dans les protocoles cryptographiques. 

Le cceur de cette these porte sur Letude des proprietes algorithmiques des automates unidirec¬ 
tionnels et bidirectionnels modulo les theories mentionnees ci-dessus. Specifiquement, nous etudions 
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la decidabilite de la vacuite de tels automates, et s’il est possible de calculer les intersections et les 
complementaires de tels automates sous forme d’automates de la meme sorte, et si les automates bidi- 
rectionnels peuvent se reduire, et meme effectivement, a des automates unidirectionnels reconnaissant 
les memes langages. Pour toutes les classes d’automates que nous etudions, la decidabilite du vide et 
la cloture par intersection impliquent trivialement la decidabilite de l’appartenance. 

Nous commenqons par les resultats negatifs. Dans toutes les theories AC, ACU, ACUM, il est 
deja indecidable de tester si le langage accepte par un automate unidirectionnel alternant donne est 
vide. Ceci a conmie consequence que divers formats d’automates bidirectionnels (non alternants) ont 
aussi un probleme du vide indecidable modulo ces theories ; a savoir celles qui sont capables de coder 
1’alternance. Notons que ceci contraste avec le cas non equationnel, ou 1'alternance et la bidirection- 
nalite sont essentiellement benignes. En effet, tout ensemble recursivement enumerable est le langage 
d’un automate alternant modulo AC, ACU, ou ACUM ; alors que les langages d’automates unidirec¬ 
tionnels et non alternants modulo les memes theories ne reconnaissent que les clotures equationnelles 
de langages rationnels. 

En ce qui concerne les resultats positifs, nous montrons d’abord que le vide du langage accepte par 
un automate unidirectionnel equationnel est decidable. Ce resultat est vrai pour toute theorie, y com- 
pris cedes dont on ne trade pas dans cette these. En termes de proprietes de cloture, nous montrons que 
les automates unidirectionnels sont clos par union et intersection dans toutes les theories ci-dessus. 
Alors que la cloture par union est immediate, la cloture par intersection se fonde sur des procedures 
que Eon peut voir comme des constructions de produits ameliorees, et utilisant intensement les corres- 
pondances entre certaines classes d’automates associatifs-commutatifs et les ensembles semi-lineaires 
ou definissables dans l'arithmetique de Presburger. Bien que les automates d'arbres unidirectionnels 
modulo toutes ces theories sont clos par intersection, la situation est completement differente dans 
le cas de la complementation. Nous montrons que, alors que les automates d’arbres equationnels 
modulo les theories AC, ACU et A CUB sont clos par complementation, ceux modulo les theories 
ACUX, ACUX n , ACUM et ACUI ne le sont pas. Nous donnons des contre-exemples dans ces cas. 

En ce qui concerne les automates bidirectionnels, nous montrons que dans toutes les theories 
mentionnees ci-dessus sauf ACUI, les automates bidirectionnels peuvent se reduire effectivement a 
des automates unidirectionnels modulo la meme theorie, a condition que certaines precautions soient 
prises dans la definition des clauses dites “push”, de sorte a eviter les cas indecidables mentionnes plus 
haut. (Le cas ACUI est ouvert.) En consequence, les resultats de cloture par operations booleennes 
des automates unidirectionnels se generalisent a ces automates bidirectionnels. De plus le probleme 
du vide de ces automates bidirectionnels est decidable. 

Les clauses push considerees dans ces automates bidirectionnels ne font apparaitre que des sym- 
boles de fonction non equationnels (c’est-a-dire ne contenant pas le symbole +). Dans la suite nous 
etudions les automates avec clauses push contenant +. Pour les traiter, nous devons d’abord definir 
une extension des systemes d'addition de vecteurs a etats (VASS) [Reu89], que nous appelons VASS 
etendus (EVASS). Nous montrons que les arbres de Karp-Miller definis de sorte a calculer les limites 
de configurations accessibles des VASS peut se generaliser aux EVASS. Grace a des traductions des 
automates AC en EVASS, nous sonimes capables de montrer que les automates que Ton obtient en 
ajoutant des clauses +-push standard aux automates AC unidirectionnels et bidirectionnels se re- 
duisent effectivement aux automates AC unidirectionnels. Cependant comme la construction de Karp 
et Miller (meme pour les VASS) n’est pas primitive recursive, ceci ne nous donne pas un algorithme 
exponentiel. A l’oppose nous montrons que dans le cas ACU (et non AC), il n’est pas besoin de 
passer par les EVASS, et nous donnons des reductions etonnamment simples des automates obtenus 
par l'ajout de clauses +-push standard aux automates ACU unidirectionnels et bidirectionnels vers 
les automates ACU unidirectionnels. En ce qui concerne les clauses +-push , qui sont strictement 
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plus expressives que les clauses +-push standard, et bien que ces clauses puissent etre trivialement 
eliminees des automates ACUX et ACUM, le test du vide pour les automates contenant ces clauses 
modulo ACU est au moins aussi difficile que le probleme de l’accessibilite des VASS ou des reseaux 
de Petri, qui est un probleme bien connu pour etre difficile. Nous montrons que le probleme du vide de 
l’intersection pour cette classe d’automates se reduit au probleme du vide pour la meme classe d’au- 
tomates, ce qui donne une indication du pouvoir expressif des clauses +-push. Ceci suggere que les 
automates AC et ACU avec clauses +-push sont difficiles a traiter, et la question de leur decidabilite 
est aujourd’hui ouverte. 
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Tree automata [CDG + 97, GS97] arc an important tool in computer science. Various extensions 
of tree automata have been proposed with a view to increase their expressiveness. One that has been 
considered very early is that of two-way tree automata where transitions may not only construct terms, 
but also destruct them. Another one is alternating tree automata [Slu85] where we may accept not 
just unions but also intersections of sets of terms accepted at some states. Recently there have been 
proposals for equational valiants of tree automata [OhsOl, Lug03] which work with terms modulo an 
equational theory. In this thesis, we study combinations of these features, that is, of equational, two- 
way, and alternating tree automata. This is motivated by applications in verification of cryptographic 
protocols. 


1.1 Cryptographic Protocols and Tree Automata 

Security of computer systems is an issue of major concern today. In particular study of cryptogra¬ 
phy and of cryptographic protocols has received considerable attention in recent years. They are being 
increasingly used today notably because of the growth of electronic commerce, where secrets need to 
be preserved or authenticity of messages need to be established. 

Cryptography refers to encryption and decryption algorithms as well as related algorithmic tech¬ 
niques. Such algorithms allow us e.g. to encrypt a given message with a given key so that the original 
message can be recovered from the encrypted message only by someone who knows the inverse key. 

On the other hand cryptographic protocols arc rules for exchanging messages, using cryptographic 
algorithms as black boxes. It is well known that even provably secure encryption and decryption al¬ 
gorithms arc not enough to ensure sufficient level of security. Despite the ingenuity of their designers, 
most cryptographic protocols arc found to be faulty later on. Further, the attacks found against these 
faulty protocols arc of a purely logical nature, i.e. these attacks can be described independently of the 
actual cryptographic means used, by showing how an intruder can replay old messages, forge new 
messages, gets keys and use them to decrypt messages, etc. Such attacks can have serious economic 
consequences. These protocols generally have descriptions short enough to make us believe that an in¬ 
formal analysis of these protocols is enough to be assured of their correctness. However in practice the 
flaws in these protocols arc often some silly errors which escape the attention of their designers. For 
these reasons formal verification of cryptographic protocols is needed to be assured of their security 
properties. 

Several methods exist for evaluating security of cryptographic protocols, including model che¬ 
cking methods [Low95, Low96, MCJ97, Mea92, Mea96], computer assisted proof development [Bol96, 
Pau98], logics of belief [Bie90, BAN89], rewriting [GK99], process algebras [AG97], tree auto¬ 
mata [Mon99, GLOO, CCM01] to name a few. In this thesis, we pursue the idea of using tree automata 
to model cryptographic protocols. In this approach terms arc used to represent messages. Then (an up¬ 
per approximation of) the set of messages known to an intruder is expressed as the language accepted 
by a tree automaton. We then check that this automaton does not accept any message that is intended 
to remain secret, in other words the intruder does not know any message intended to be a secret. 

This approach is based on the assumption of perfect cryptographic primitives. Representing the 
encryption of message m by key k as {m}k, this assumption means that the messages {m}/,. and 
{m!}k' cannot be confounded if m f m' or k f k !', {... {{m}^}^ .. f m, {m}k f (mi, m 2 ) 
(where (mi, m 2 ) represents the pair of messages mi and m 2 ), etc. Under this assumption, the set of 
messages becomes a free term algebra : the term encrypt(m, k) is used to represent the encryption 
of m with k, the term pair(m 1 , m 2 ) is used to represent the pairing of two messages mi and m 2 . 
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1.2 Tree Automata and its Extensions 

Under these assumptions, there is a natural way to represent the knowledge of an intruder in a 
protocol using transitions of tree automata [CDG + 97, GS97]. In this thesis we use a first order logic 
approach to representing tree automata. In such a approach, definite clauses of first order logic arc 
used to represent transitions of an automaton. The predicates of logic represent states of automata. An 
atom of the form Pit) means that term t is accepted at state P. For example, the clause 

P(f (xij • • • j %n)) Pi (xi) A ... A P n {Xfi) 

can be read as “if terms x\...., x n arc accepted at states Pi,..., P n then term f(x \...., x n )) is 
accepted at state P”. The clause 

P[x) <= Q{x) 

can be read as “if x is accepted at Q then x is accepted at P”. These two forms of clauses corres¬ 
pond to the clauses of the classical tree automata usually described in the literature [CDG + 97]. They 
arc usually written as rewrite rules : 


/(Pi Pn) > P 

and 

Q-^P 

The automata containing the above two kinds of clauses arc called one-way automata in this thesis, 
to distinguish them from two-way automata which arc their extensions. 

Returning to our modeling of cryptographic protocols, we now use state (predicate) Iq to accept 
the set of messages (terms) known to an intruder in configuration C. Then the following clauses 
represent some deductive abilities of the intruder. 

/c(encrypt(m, k)) <= Ic(m) A Ic(k) Intruder can encrypt messages 

Ic(pair(,T, yj) <= Ic(x ) A Ic ( y ) Intruder can form pairs 

Ipnew ( x ) <= Ic oU ( x ) Intruder remembers past messages 

For example the first clause says that if the intruder knows message m and key k in configuration C 
then the intruder knows the encryption of m by k. In other words this clause says that the intruder has 
the power to encrypt messages. We can see that these clauses arc clauses of one-way automata. 

Having represented a protocol using tree automata, we arc then interested in knowing whether a 
particular - set of messages is known to the intruder. Such questions can then be thought of as questions 
about the emptiness or emptiness of intersections of languages accepted by tree automata. 

1.2.1 Two-Way Automata 

However the clauses of one-way automata described above are too limited to express all the de¬ 
ductive abilities of an intruder. For example we need to state the following properties : 

Ic(m ) <= Ic (encrypt (m, k )) A Ic(k) Intruder can decrypt messages 
Ic(x) <= /c'fpairfx, y)) Intruder can unpair messages 

Ic ( y ) <= ^c(pair(x,y)) 
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The first clause says that if the intruder knows an encrypted message, and he also knows the cor¬ 
responding key then he knows the original (unencrypted) message (because the intruder can decrypt 
messages). Clearly these clauses arc not in the format of one-way automata clauses. Intuitively, the 
difference is that these clauses allow us to destruct terms, whereas the clauses of one-way automata 
allow us to construct terms. For these reasons, we extend one-way automata by adding following form 
of clauses : 


Q(xi) <= p(f(x 1 , ...,x n )) A Pi(x h ) A ... A P k (x ik ) 

where 1 < i, i\,... ,i k < n. These clauses arc called general push clauses and the extended form 
of automata arc called general two-way automata. 

Sometimes we also need the following kinds of clauses 

P{x) <= P\{x) A P 2 (x) 

called intersection clauses. Automata containing such clauses arc called alternating automata. 
This clause can be read as “if x is accepted at both Pi and P 2 then x is accepted at P”. 

1.2.2 Equational Tree Automata 

Now we come to the most important extension that is treated in this thesis : the extension of tree 
automata by adding equational theories. These extensions arc motivated by the fact that in actual prac¬ 
tice, protocols often don’t satisfy the perfect cryptographic primitive assumption mentioned above. As 
an example the original version of the Bull’s recursive authentication protocol presented in [Pau97] 
was formally proved correct using the assumption of perfect cryptographic primitives. However this 
protocol uses the exclusive-or operation for encryption. By taking into account the properties of the 
exclusive-or operation like associativity, commutativity, cancellation, an attack against this protocol 
was found in [RS98]. Also protocols like the group Diffie-Hellman protocol [STWOO], use algebraic 
properties of modular exponentiation [DH76]. For these reasons we need to take into account the al¬ 
gebraic properties of cryptographic primitives in the formal analysis of protocols. These properties are 
conveniently expressed using a set of equations. Some of the theories that often occur arc the theories 
of an associative and commutative symbol with a unit, the theory of Abelian groups, and the theory 
of exclusive-or. 

This motivates our extensions of (one-way and two-way) tree automata to (one-way and two- 
way) equational tree automata, which work with terms modulo an equational theory. In this thesis 
we define and study the decidability and closure properties of one-way and two-way equational free 
automata for a certain number of theories. Note that for the purposes of cryptographic protocols, the 
theory of associativity and commutativity occurs most often. Theories like that of Abelian groups or of 
exclusive-or operator are obtained from the theory of exclusive-or by adding some additional axioms. 
For this reason, in this thesis, we have chosen to deal with the theories of associativity-commutativity 
(with or without unit), and theories obtained by certain additional axioms to the theory of associativity- 
commutativity. In particular we also deal with the theory of exclusive-or and the theory of Abelian 
groups. 

There has recently been considerable work on dealing with equational theories in cryptographic 
protocols. The theory of exclusive-or has been dealt with in [Cor03, CLC03]. Their approach is very 
si mi lar to ours in that they study satisfiability of horn clauses in the presence of the theory of exclusive- 
or. The class of clauses they consider is incomparable to the classes we deal with. Our approach is 
also more automata theoretic, in that we deal with the closure properties of the automata defined by 
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our clauses, and also our clauses have been chosen specifically to define one-way and two-way tree 
automata. [CLS03] deals with protocols in the presence of the theories of exclusive-or and Abelian 
groups, although they use constraint solving instead of Horn Clauses. An equational unification algo¬ 
rithm for protocols involving modular exponentiation is studied in [KNW03]. [CKRT03] presents an 
NP-decision procedure for deciding insecurity of protocols in the presence of an exclusive-or operator. 


1.3 Contributions of the Thesis 

In this thesis we define and study the notion of one-way and two-way equational free automata. We 
take a first-order logic approach to describing one-way and two-way tree automata, and extend them 
to deal with equational theories. We focus on the equational theories of associativity-commutativity 
and its extensions. More precisely, we deal with the theories AC (associativity and commutativity of 
+), ACU (AC with unit 0), ACUX (ACU with the axiom x + x = 0, i.e. the theory of exclusive- 
or), ACUX n (ACU with the axiom x + ... + x, = 0, generalization of exclusive-or), ACUM (ACU 

n times 

with the axiom x + (— x) = 0, i.e. the theory of Abelian groups), A CUB (ACU with the axioms 
—(x + y) = (—x) + (— y), —(—x) = x and —0 = 0) and ACUI (ACU with the axioms x + x = x, 
i.e. the theory of idempotence). The theory A CUB is the theory of a “distributive” — symbol. It is 
implied by the theory ACUM, and is actually strictly weaker than ACUM. 

To illustrate the use of these equational two-way automata, we show that our tree automata mo¬ 
dulo the theory ACU and the theory of Abelian groups (ACUM) can be profitably used to model 
protocols based on modular exponentiation, e.g. the group Diffie-Hellman protocol, used by a group 
of participants to agree on a common key. Recall that we also deal with the theory of exclusive-or, 
which is used frequently in cryptographic protocols. 

The core of this thesis is concerned with the study of the algorithmic properties of one-way and 
two-way tree automata modulo the theories listed above. Specifically, we study the decidability of 
emptiness of such automata, and whether it is possible to compute intersections and complements of 
such automata as automata of the same kind, and whether two-way automata can be reduced, and 
if so effectively, to one-way automata recognizing the same languages. For all classes of automata 
that we study, decidability of emptiness and closure under intersection trivially implies decidability of 
membership. 

We start with negative results. In all theories AC, ACU, ACUM, it is already undecidable to 
test whether the language accepted by a given alternating one-way automaton is empty. This has the 
consequence that various formats of two-way (non-alternating) automata also have an undecidable 
emptiness problem modulo these theories ; namely the ones that arc able to encode alternation. Note 
that this is in contrast with the non-equational case, where alternation and two-way-ness arc essentially 
harmless. Indeed, every recursively enumerable set is the language of some alternating automaton 
modulo AC, ACU, or ACUM ; while languages of one-way, non-alternating automata modulo the 
same theories only recognize equational closures of regular languages. 

As far as the positive results arc concerned, we first show that the emptiness of the language ac¬ 
cepted by a one-way equational tree automaton is decidable. This result holds for an arbitrary theory, 
including those not dealt with in this thesis. Coming to closure properties, we show that the one-way 
automata for all the theories above arc closed under union and intersection. While closure under union 
is immediate, closure under intersection uses procedures that can be thought of as souped-up product 
constructions, with a lot of help from connections between some classes of associative-commutative 
automata and semilinear sets or Presburger-definable sets. While the one-way free automata modulo 



20 


CHAPITRE 1. INTRODUCTION 


all these theories arc closed under intersection, the situation is strikingly different in the case of com¬ 
plementation. We show that while the one-way tree automata modulo the theories AC, ACU and 
A CUD arc closed under complementation, those modulo the theories ACUX, ACUX„, ACUM and 
ACUI are not closed under complementation. We give counter-examples for the latter cases. 

As far as two-way automata arc concerned, we show that in all theories mentioned above except 
ACUI, two-way automata can be effectively reduced to one-way automata modulo the same theory, 
provided some care is taken in the definition of the so-called push clauses in order to avoid the un- 
decidable cases mentioned above. (The ACUI case is open.) As a result, the results about closure 
under Boolean operations of one-way automata also generalize to these two-way automata. Also the 
emptiness problem of these two-way automata is decidable. 

The push clauses considered in these two-way automata involved only non-equational functional 
symbols (i.e. they didn’t contain the symbol +). Next we study the automata with push clauses invol¬ 
ving +. To deal with them we first need to define an extension of the Vector Addition Systems with 
States (VASS) [Reu89] which we call Extended VASS (EVASS). We show that the Karp-Miller Trees 
defined to compute limits of reachable configurations of VASS, can be generalized for the EVASS. 
By translations from AC automata to EVASS, we arc able to show that the automata obtained by 
adding standard +-push clauses to one-way and two-way AC automata can be effectively reduced to 
one-way AC automata. However since the Karp-Miller construction (even for VASS) is not primitive- 
recursive, this does not give us an exponential algorithm. In contrast we show that in the ACU (and 
not AC) case, we do not need to go through EVASS, and we give surprisingly easy reductions of the 
automata obtained by adding the standard +-push clauses to one-way and two-way ACU automata, 
to one-way ACU automata. As far as +-push clauses arc concerned, which arc strictly more expres¬ 
sive than standard +-push clauses, while these clauses can be trivially eliminated from ACUX and 
ACUM automata, the emptiness test for automata containing these clauses modulo ACU is more dif¬ 
ficult than the reachability problem for VASS or Petri Nets, which arc known to be difficult. We also 
show that the intersection emptiness problem for this class of automata reduces to emptiness problem 
for the same class of automata, indicating the power of +-push clauses. This suggests that AC and 
ACU automata with +-push clauses arc difficult to deal with, and the decidability question for them 
is currently open. 


1.4 Plan of the Thesis 

This thesis is divided into four parts. 

In the first paid we present equational free automata and applications to cryptographic protocols. 
We start in Chapter 2 by having a quick look at first order logic, tree automata and equational logic 
and their interconnections. In particular we see how various classes of tree automata can be considered 
as logic programs, and how decision problems about automata can be reduced to the satisfiability 
problem in first order logic. We also see how to deal with logic programs with equality, since we arc 
interested in studying equational valiants of free automata. In Chapter 3 we deal more specifically 
with one-way and two-way equational free automata. We look at the various associative-commutative 
theories we arc going to study and also look at some basic properties of these theories used later. 
We also look at the various kinds of clauses which we use to define various classes of automata. We 
end this chapter with a discussion of other formalisms similar to our equational free automata, and 
we argue why the work presented in this thesis is original compared to already existing results. Since 
in most of this thesis we will be dealing with the AC theory and its extensions, it is also natural 
to ask about the properties of equational tree automata modulo the restrictions of the theories AC, 



1.4. PLAN OF THE THESIS 


21 


namely the theories A and C. So we start by dealing with these two cases in Chapter 4. We show 
that languages accept by C tree automata arc merely regular tree languages. On the other hand A tree 
automata can accept context free languages, implying undecidability of intersection emptiness. Then 
we turn our attention to AC theories. To motivate our study of two-way equational tree automata for 
AC-like theories, in Chapter 5, we give an application of our equational tree automata in modeling 
group Diffie Heilman protocols. In particular it should be observed that we model these protocols 
using subclasses of our equational tree automata which arc later shown to be decidable. 

In the second paid (Chapter 6), we present the undecidability results. We show that either alter¬ 
nation clauses or general push clauses arc sufficient to produce undecidability. This is shown for the 
theories ACU, AC, A CUD and ACUM. These results lead us to study suitable restricted versions of 
general two-way automata, with the goal of obtaining decidability results, in Chapters 10 and 11. 

Before that we first deal with one-way equational tree automata in the third paid. We staid in 
Chapter 7 by developing some basic tools which shall be very helpful throughout the rest of the the¬ 
sis. Among others we show that emptiness of one-way equational tree automata is decidable for any 
theory. We prove some results about the runs of equational tree automata. Most importantly we show 
that modulo some of our theories, one-way automata on signatures in which all non-equational sym¬ 
bols are constants, accept exactly semilincar sets or Presburger-definable sets, upto some encoding. 
The results in this Chapter arc very crucial, and all the later results in the thesis arc based on them. 

In Chapter 8 we study the closure under intersection of one-way equational tree automata. We 
show that modulo each of the AC theories (namely the theories AC, ACU, ACUX, ACUX n ,ACUD, 
ACUM, ACUI) the one-way equational tree automata are closed under intersection. These in parti¬ 
cular' imply decidability of intersection emptiness and membership test. As is the case for the results 
later in the thesis, these results depend strongly on the results of Chapter 7. Next we deal with closure 
under complementation of one-way equational tree automata in Chapter 9. We see that the results on 
complementation are strikingly different from those on complementation. While the one-way tree au¬ 
tomata modulo the theories AC, ACU and A CUD are closed under complementation, those modulo 
the theories ACUX, ACUX ra , ACUM and ACUI are not closed under complementation (we give 
counter-examples for the latter theories). 

Having dealt with the one-way equational tree automata, we now study the two-way variants of 
equational tree automata in the fourth part. We already show in Chapter 6 that emptiness of general 
two-way equational tree automata is undecidable. Hence to obtain decidability results, we need to 
consider restricted versions of these automata. In Chapter 10 we study the so-called two-way equatio¬ 
nal tree automata which are obtained by adding/ree push clauses to one-way equational tree automata. 
Also observe that the clauses used in the modeling of the group Diffie-Hellman protocol protocol des¬ 
cribed in Chapter 5 belong to this class. We show that for all our AC theories other than ACUI, these 
two-way equational tree automata can be effectively reduced to equivalent one-way equational tree 
automata. (The two-way ACUI case is left open.) We then study automata containing some additional 
clauses in Chapter 11. We show +-push clauses can be added to ACUX and ACUM automata without 
increasing their expressiveness. On the other hand, these +-push clauses turn out to be difficult for AC 
and ACU automata, and decidability question for these cases is left open. For the AC and ACU cases, 
we introduce a further weaker form of +-push clauses, called standard +-push clauses. We show that 
standard +-push clause do not increase the expressiveness of two-way AC and ACU tree automata. 
While this result is easy for the ACU case, for the AC case, we need to take a detour through an 
extended notion of VASS. For this reason, we also define and study in this chapter Extended VASS 
(EVASS), and show a generalization of the Karp-Miller tree for VASS to extended VASS. 

Chapters 8 and 10 are described in [Ver03b]. Chapter 9 is described in [Ver03a]. Chapter 11 is 
described in [GLV], Chapters 6 and 7 are described in [Ver03b] and [GLV]. [GLV] also describes 
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how techniques of refinements of the resolution procedure for satisfiability checking in first order 
logic [GLM97] can be used to obtain decision procedures for the extensions of two-way AC tree 
automata with standard +-push clauses. These techniques have not been described in this thesis, 
however we have shown the results of [GLV] in this thesis using alternative techniques. Readers 
interested in decision procedures using resolution for two-way equational tree automata may refer to 
that paper. 



Premiere partie 

Automates d’arbres equationnels et une 
application aux protocoles 
cryptographiques 
(Equational Tree Automata and 
Application to Cryptographic Protocols) 
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Chapitre 2 

Logique du premier ordre, automates 
d’arbres et theories equationnelles 
(First Order Logic, Tree Automata and 
Equational Theories) 


Nous rappelons ici les notions de base de termes du premier ordre, les semantiques de Tarski et de 
Herbrand de la logique du premier ordre, et la notion de plus petit modele de Herbrand d’un ensemble 
de clauses de Horn. Nous operons aussi un rappel des notions de base concernant les systemes de 
reecriture. Ceci fait, nous passons aux automates d’arbres —les automates d’arbres classiques, c’est- 
a-dire unidirectionnels, non alternants, non equationnels — et rappelons leur definition en terme de 
systemes de reecriture. Nous rappelons que ces automates definissent une famille de langages close 
par union, intersection et complementaires et telle que l’appartenance a un tel langage ou la vacuite 
d’un tel langage est decidable. II sera interessant dans la suite de la these, ne serait-ce que pour definir 
la notion meme d’automate d’arbres bidirectionnel, de redefinir les automates d’arbres conmie des 
ensembles de clauses de Horn d’une forme specifique, ce que nous faisons. Nous profitons de cette 
nouvelle presentation pour definir non seulement les automates d'arbres bidirectionnels, mais aussi al¬ 
ternants, et nous montrons que Ton peut effectivement reduire ces derniers automates a des automates 
d’arbres ordinaires acceptant les memes langages. Entin nous definissons les modeles de Herbrand 
equationnels, ce qui nous servira a definir les automates equationnels dans le chapitre suivant. 
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2.1 Terms 

A signature E is a finite set of function symbols each having a non-negative arity such that E has 
at least one zero-ary symbol. The assumption of E containing at least one zero-ary symbol is usually 
not made in the definition of a signature, and is made only for certain results. However we make this 
assumption at the beginning as it doesn’t cause any significant loss of generality. 

Given a signature E and a set X of variables , the set T(E,X) of terms built over E and X is 
defined inductively by the following two rules : 

- If x G X then x G T(E, X). 

- If / G E has arity n, and t\,... ,t n G T(E,X) then f(t\,.t n ) G T( E,X). 

The set of ground terms is T(E) = T(E, 0). Since E has at least one zero-ary symbol, T(E, X) 
and T(E) arc guaranteed to be non-empty. 

Example 1 Let signature E = {O, S, +, x}. We let O to be zero-ary, S to be unary and + and x 
to be binary. Some examples of terms on this signature are O, S(0), S(S(S(0))) and S(x(+(S(S( 
0))),0),S(0)). 

It is also natural to think of these terms as trees (which justifies the name “tree automata” instead 
of “term automata”; the “free automata” arc supposed to accept terms on some signature E). For 
example the term S(x (+(S(S(0))), O), S(0)) of Example 1 can be written as in Figure 2.1. For 
any set S we denote by S* the set of all finite sequences of elements of S, which arc also called 
the strings on S. The empty string is denoted by e. Given strings x and y, we write x < pre f V iff 
x ■ z = y for some string 2 . We write x < pre f V iff x <pref V and x f y. Hence we can describe 
the positions of the various nodes in a tree using strings from N*. The position of the root node is e. 
If the position of a node is the string p, and the node has k children, then the position of the children 
nodes arc p • 1,... , p ■ k. Hence a tree can be thought of as a function form a finite set of positions 
to E. (Remember however that not all these functions represent terms on E.) If i is a term and p is a 
position in the term, then the subterm rooted at position p is denoted by t\ p . If s is another term then 
t[s] p denotes the replacement of the subterm at position p in term t by term s. 

2.2 First Order Logic 

A first order logic consists of a countably infinite set X of variables, a signature E, and a finite set 
P of predicates each of which has a fixed arity. The terms of the logic arc the elements of T(E, X). 
The atoms arc of the form P(t 1 ,..., t n ) where P is a predicate of arity n. The formulas arc of the form 
A, (j> 1 V02, (f>iA<j> 2 ,<j>i=$-(l> 2 , _, 0i, \/x-fi, where A is an atom, x is available, and fi, 

arc formulas. A Tarskian interpretation (or simply interpretation ) I is a tuple (72. (//)y eS , (Pj) p e p) 
such that D is a non-empty set, fj : D n —► D for each / G E of arity n, and Pj C D n for each 
predicate P of arity n. D will also be called the domain of the interpretation. If there is no confusion 
then the interpretation will be denoted by D, the functions will be denoted by /p for / G E, and the 
predicates will be denoted by P/> for P G P. 

A D-assignment is a function p : X —> D. Given an interpretation I on domain D, and a D 
assignment p , the semantics ft}Ip G D and \<f\Ip G Bool = {tt, //} of term t and formula (t> 
respectively is recursively defined as follows, where V Bool , A Bool 1 => Bool 1 Bool are the usual logical 
operations on the booleans. 

- \x\Ip = p(x) 

- lf(tl, ■■■, t n )}Ip = fldhjlp, • • • , \tn}Ip) 
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FlG. 2.1 - The term S(x(+(S(S(0))), O), S(0)) as a tree 

- [P(t 1, . . .,t n )jlp = tt iff ([ti jlp, ..., [ t n JIp) € Pj. 

- l^falp = ~ l Booll4 > jIP- 

- y >i v </> 2 }ip = y>iiipvBooi ifajip- 

- [<t> 1 A fajlp = [fajlp AbooI [fajlp. 

- [fa => fa\!p = Ifajlp =>Bool [fajlp- 

~ [fa ifajlp = [fa jlp^Bool [fa jlp. 

- [Vx • (j)}Ip = tt iff [i^)]/(p[x i —> d\) = tt for all d G D. 

- [3x • falp = tt iff \<j)\I{p[x i—> d\) = tt for some d € D. 

lisa model of o iff for every p, [falp = tt. If S' is a set of formulas then I is a model of S iff 
I is a model of every <i> G S. These arc written as / j= 0 and I |= S. If S is a formula or a set of 
formulas, and S' is a formula or a set of formulas, then S' is a semantic consequence of S, written 
S |= S', iff for every I such that I \= S we have I \= S'. We write |= S iff 0 |= S. (0 is the empty 
set.) S is said to be satisfable iff it has some model, otherwise it is said to be unsatisfiable. We use 
the symbol _L to denote some formula of the form cf> A -xj). (The choice of 4> will be irrelevant for 
our discussion.) Observe that [_L]/p = // for every / and every p. Hence _L represents the “false” 
formula. (Alternatively we could have chosen to have a special symbol for a “false” formula in our 
syntax.) 

A Herbrand interpretation is an interpretation (D , (fr >)/es, (Pd)pe p) such that D = T(E) and 
fn(t\, ■ ■ ■, t n ) = f(ti,. ■ ■, t n ) for / e E of ai'ity n and t \ x ..., t n € T(E). Since the domain of the 
interpretation as well as the interpretation of function symbols is the same for all Herbrand interpre¬ 
tations, we only need to specify the interpretation of predicates. Hence a Herbrand interpretation can 
also be thought of as the set of ground atoms P(t i,..., t n ) such that the tuple (t\.. ... t n ) is in the 
interpretation of P. A Herbrand model (of a formula or a set of formulas) is a Herbrand interpretation 
which is a model. 
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A substitution is a function o : X —> T(E,X). o is a ground substitution iff o(x) is a ground 
term for every x £ X. We assume that the result to £ T(£, X ) of applying a substitution a on a term 
t £ T(£, X) is defined as usual. 

The notion of free variables in a formula is defined as usual. A formula is called quantifier free 
if the universal quantifier V and the existential quantifier 3 don’t occur in it. A universal formula is a 
formula of the form Vx i • ... Vxy • o where <j> is quantifier free and all the free variables of <i> arc in 
the set {xi,... x n }. 

Theorem 1 (Herbrand) A set of universal formulas has a model iff it has a Herbrand model. 

Observe from our definitions that if Vxj • ... Vxy, • f is a universal formula where <f> is quantifier 
free then for any interpretation I \= f iff / |= Vxi •... Vxy • 0. Hence we can also restate Herbrand’s 
Theorem to state that a set of quantifier free formulas has a model iff it has a Herbrand model. 

A definite clause is a quantifier free formula of the form A -4= A\ A ... A A n where n > 0 and 
.4. .4 1 .... A n arc atoms. A logic program is a set of definite clauses. 

Given a logic program V , define a Herbrand interpretation Hp inductively using the following 
rule : 

- If A <= A\ A ... A A n £ V and for some ground substitution o, A\o , ...,A n o £ Hp then 
Ao £ Hp. 

Lemma 1 (Least Herbrand Model) We have the following results : 

(i) Hp is a Herbrand model ofV. 

(ii) For every Herbrand model H ofV. we have H p C //. Hence Hp is called the least Herbrand 
model ofV. 

(iii) For every ground atom A, A £ Hp iff V |= A. 

Define a query clause to be a clause of the form A -4= A\ A ... A A n where A \,..., A n arc atoms. 
We have the result 

Lemma 2 (Queries) LetV be a logic program and A 4= A\f\.. .A A n a query clause. Then TAJ {A -4= 
A\ A ... A An} is unsatisfiable iff there is a ground substitution a such that A\o ,..., A n o £ Hp. 

2.3 Rewriting Systems and Equational Theories 

A rewriting rule is a pair of terms s and t, written as s —> t. A rewriting system is a set of 
rewriting rules. Given a rewriting system 74, we define the one-step reduction relation —by the 
following rule : for every term u, position p in u, rewriting rule s —> t £ 1Z, and substitution a, 
u[so\ p — u\to\ p . The rewriting relation —^ is the reflexive transitive closure of -^p. 

An equation is a first order logic formula of the form s = t where A is a special binary predicate 
symbol A which is called the equality symbol. An equational theory is a set of equations. 

Given an equational theory E we define the associated rewriting system 74 e to consist of rules 
s -> t and t $ for every equation s = t £ E. The one-step reduction relation is defined to be 
-xe=^-r. e and relation =e is defined to be —^ =e is an equivalence relation on terms. Actually it 
is a congruence relation which is defined as an equivalence relation ~ such that whenever s r ~ t, for 
1 < i < n and / £ £ is n-ary, then f(s i,..., s n ) ~ f(t \,..., t n ). For an equivalence relation ~ on 
set S, we use the notation S/ ~ to denote the set of equivalence classes of S modulo ~. For s £ S, 
[s]^ denotes the equivalence class which contains s. 
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An equational term rewriting system (ETRS) TZ/E is a rewriting system TZ together with an equa- 
tional theory E. An equational rewriting system TZ/E defines a binary relation on the set 

T(E)/ =e of equivalence classes modulo =e as follows : we say that [s]e ~^tz/e Me iff there 
are terms s' 6 [s]e and t' e Me such that s' >tz t'. 

Definition 1 Let —► be binary relation on a set S. 

(i) s £ S is normal iff there is no s' £ S such that s —> s', s £ S is a normal form for t £ S iff s is 
normal and t —A s. 

(ii) —> is terminating iff there is no infinite sequence of the form so —> si —> s ’2 .... 

(Hi) —> is confluent iffMs , si, S 2 ■ s —A si A s —A S 2 =>- 3.s' • si —s' A S 2 —> s' 

(iv) —is locally confluent iffVs, s i, S 2 • s —> si A s —> S 2 =>- 3s' • si —* s' A S 2 —> s' 

(v) Let ~ be the reflexive symmetric transitive closure of —\ —> is said to be Church-Rosser iff 
Vsi, S 2 • Sl ~ S 2 =>• 3s • si —►* s A s 2 —>* s. 

Lemma 3 A binary relation —> on a set S is Church-Rosser iff it is confluent. 

Lemma 4 (Newman’s Lemma[New42]) A terminating binary relation —► o« a set S is confluent iff 
it is locally confluent. 

2.4 Tree Automata 

Tree automata [CDG + 97, GS97] arc extensions of the concept of the automata for strings which 
accept regular - languages of strings. Tree automata work on terms instead of strings. A tree automaton 
accepts a set of terms which is said to be the language accepted by the automaton. 

We first present the ‘classical’ notion of tree automata, before talking of its extensions. These are 
the automata that are called “tree automata” usually in the literature. As remarked in [CDG f 97], it is 
convenient to describe classical flee automata as rewriting rules. We assume fixed a signature E. 

Definition 2 (Classical Tree Automata) A classical free automaton A has a finite set Q of states 
(disjoint from E), and a finite set of transitions. A transition is a rewriting rule of the form 

f(qi,...,q n ) -> q 

where f € E is a n-ary symbol, and qi ,..., q n , q 6 Q, or of the form 

q -> q 

where q,q' € Q. 

Hence the set of transitions is a rewriting system (also denoted by the same A) on the signature E U Q 
where the elements of Q are treated as constants. We then say that a term t (on signature E) is accepted 
at a state q iff t —^ q. In addition we specify one state in Q to be the final state of A. Then the set 
of states accepted at the final state is called the language accepted by the automaton. Unlike in other 
presentations, in this thesis we always assume our automata to have a unique final state. This does not 
entail any loss of expressiveness for the classes of automata studied in this thesis. 

In the above presentation, the rewriting derivations play the role of the runs of the automata des¬ 
cribed in other presentations. Intuitively, a transition f(q \,..., q n ) —> q means : “if terms t \,..., t n 
are accepted at states qi,...,q n respectively, then the term f(t i,..., t n ) is accepted at state q”. A 
transition of the form q q’ means : “if term t is accepted at state q then t is accepted at state q'”. 
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Example 2 Let E = {0,5,+, x} where O is zero-ary, S is unary and +, X are binary. Consider an 
automaton with Q = {q even , q 0 dch Qall} <^ s the set of states and having the following transitions : 



Then thinking of the terms as denoting natural numbers, it can be checked that q even and q 0 <id accept 
exactly the even and odd numbers, whereas q a u accepts all numbers. The following is an example run 
in the automaton, where the binary operators have been written in infix notation for readability : 


(5(0)+ 5(5(0))) x 5(5(5(0))) 

-> (S(q even ) + 5(5(0))) x 5(5(5(0))) 

->* (S(q even ) +S(S(q even ))) X S(S(S(q 

even ))) 

* (Qodd + S(q Q dd )) x S(S(q 0 dd )) 

* (Qodd Qeven) X S(q even) 

* Qodd ^ Qodd 
y Qodd 

— > Qall 


There arc several questions that we may ask about a given class of tree automata : 

Decidability of emptiness : Given an automaton, can we decide whether it accepts at least one term ? 
Decidability of membership : Is it decidable whether a given term is accepted by a given automaton ? 
Decidability of intersection emptiness : Given two automata, is it decidable whether they accept a 
common term ? 

Closure under union : Is the class of languages accepted by the automata closed under union ? 
Closure under intersection : Is the class of languages accepted by the automata closed under inter¬ 
section ? 

Closure under complementation : Is the class of languages accepted by the automata closed under 
complementation ? 

As an abuse of language, we say the a class of automata is closed under union (resp. intersection, 
complementation) if the class of languages accepted by them is closed under union (resp. intersection, 
complementation). Also by “emptiness of automaton” we mean emptiness of the language accepted 
by the automaton. As far as classical tree automata automata arc concerned, the languages accepted 
by them arc referred to as regular tree languages (the equivalent notion of the regular languages of 
strings). It is well known that regular tree languages arc closed under all Boolean operations and 
their emptiness is decidable. This also implies decidability of membership and intersection emptiness 
problem. 
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There is a large literature on finite tree automata, see [CDG + 97, GS97]. Applications abound 
in rewriting and automated theorem proving notably : approximations of reachability sets for re¬ 
write systems [Gen98], disunification and inductive reducibility [LM94], unification under constraints 
[KFK97], ground reducibility [CJ97], automated inductive theorem proving [BJ97], fast free matching 
[Li88], automated model building in first-order logic [Pel97], etc. These applications deal with auto¬ 
mata on finite trees, and this is what we arc interested in here. We won’t deal with automata on infinite 
frees [Tho90], which arc also fundamental, e.g. in temporal and program logics [EJ88]. 


2.4.1 Tree Automata and First Order Logic 


It is natural to consider the transitions of tree automata described above as formulas of first order 
logic. The idea of the translation can be expressed as the following informal identities : 


state of automata 
transition of automata 
automaton 
atom P(t) 


predicate of first order logic 

definite clause 

logic program 

term t is accepted at state P 


The signature S of the logic is the same as the signature on which the automaton works. The set 
of predicates of the logic is the set of states in the automaton. The atom P(t.) of first order logic is 
considered to mean that the term t is accepted at the state P. Then it is natural to translate the transition 


f(qi,...,q n ) q 

of automata as the definite clause 

q{f{x i, • • • ,x n )) 4= q\{xi) A ... A q n (x n ) 
where the ay’s are distinct variables. The transition 



can be translated as the definite clause 


q(x) -4= q(x) 

Example 3 The transitions of the automaton in Example 2 translated to definite clauses are listed 
below (in the order of the corresponding transitions in Example 2). 


qeverSfl ) 



q 0 dd{S(x)) 

^ Qeven(% 

) 

qeven^S (x)) 

^ Qodd(%') 


qeven{ T(x, y )) 

^ Qeven(% 

) A qeven(y ) 

qodd(+(x,y)) 

^ Qeven(% 

) A q Q dd{y) 

qodd(+(x,y)) 

^ Q.odd(%) 

A qeven(y) 

qeven{ T(x, y)) 

^ Qodd(%') 

A q 0 dd{y) 

qeven{ * (x, y)) 

^ Qeven(% 

) A qevenid) ) 

qeven{ * {x, y)) 

^ Qeven(% 

) A q Q dd{y) 

qeven{ * (x, y)) 

^ Qodd(%) 

A qeven(y) 

qodd(x(x,y)) 

^ Qodd(%') 

A q Q dd{y ) 

q a ii(x) 

^ Qeven(% 

) 

qall(x) 

^ Qodd(%') 
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Then this translation has the following nice property : 

Lemma 5 (Automata as Logic Programs) Let V be the set of definite clauses obtained by trans¬ 
lation of automaton A. Then for any term t and state q in the automaton A, t is accepted at q iff 
V |= q(t). 

In other words, the least Herbrand model of the logic program associated with the automaton 
contains exactly the atoms q(t ) such that t is accepted at q in the automaton. We have the following 
corollaries : 

Corollary 1 (Automata Queries as Query Clauses) Let V be the set of definite clauses obtained by 
translation of automaton A. Then : 

1. The language accepted by the state q in A is non-empty iff V U {_L <^= q(:r)} is unsatisfiable. 

2. Term t. is accepted at state q iff V U {_L -4= q(t)} is unsatisfiable. 

3. Term t is accepted at each of the states q \,... ,q n iff V U {_L -4= qi(t) A ... A q n (t)} is unsatis¬ 
fiable. 

4. There is some term accepted at each of the states q\,... ,q n iffV U {X 4= qi(x) A .. . A g n (x)} 
is unsatisfiable. 

We have purposely chosen to view automata as logic programs in this thesis, because the forma¬ 
lism of first order logic makes it much more convenient to describe the extensions of the classical tree 
automata that we study in this thesis. Firstly by allowing newer forms of definite clauses other than 
the two seen above, we have a very expressive formalism for describing various extended notions to 
tree automata. Secondly the formalism of definite clauses makes it possible to define the equational 
valiants of tree automata in an elegant way, as we will see later. Thirdly the above corollary allows us 
to reduce various decision problems about automata to the satisfiability problem in first order logic. 
For the latter problem, there are many powerful techniques known, notably various refinements of 
resolution, which allow us to get decision procedures for various fragments of first order logic. 

2.4.2 General Two-Way Tree Automata 

Now we describe an extension of the above notion of classical tree automata, which we call gene¬ 
ral two-way tree automata. Having seen how classical tree automata can be viewed as a set of definite 
clauses, it is now easy to describe this new class of automata by adding the following new kind of 
definite clause 


q(xi) 4= p(f(x i,.. . ,x n )) A qffxifi A ... A qk(x ik ) 

where 1 < i.i]., ij c < n and k > 0. The variables x\,..., x n arc pairwise distinct, but the 
indexes if s need not be pairwise distinct. These clauses are called general push clauses. 

In comparison the previous two forms of clauses 

q(f(x i, • • • ,x n )) 4= qi(xi) A ... A q n (x n ) 

and 


q'(x) -4= q(x) 
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arc called pop clauses and epsilon clauses respectively. We define general two-way automata to 
contain pop clauses, epsilon clauses and general push clauses. The classical tree automata seen above 
contain pop clause and epsilon clauses, and they arc called one-way automata to distinguish them 
from two-way automata. 

The general push clause above can be read as “if term f(t i,... ,t n ) is accepted at state p an 
subterms ti,,,..., t lk are accepted at states qi,...,qk then the subterm t, is accepted at state q”. 
Hence intuitively this clause provides us a mechanism of destructing terms, as against the pop clauses 
which provide us a mechanism of constructing terms. 

Sometimes we also need intersection clauses : 

q(x) 4= qffx) A q 2 (x) 

Such clauses can be read as “if term t. is accepted at both states q\ and q 2 then it is also accepted 
at state q”. This clause can easily be seen to encode the following more general form of intersection 
clauses, by using some new auxiliary states : 

q(x) 4= qi{x) A ... A q n (x) 

where n > 2. Alternating (one-way or general two-way) automata are the automata obtained by 
adding intersection clauses to (one-way or two-way) automata. 

Alternating and two-way valiants have been well studied [CDG + 97, FSVY91, Slu85j. Their cor¬ 
respondence with set constraints is described in [CDG+97], Beware that the names of “pop” and 
“push” clauses arc interchanged in [CDG + 97]. [CDG + 97] states that : 

Lemma 6 ([CDG+97]) An automaton containing pop clauses, intersection clauses and clauses of the 
form q(x) -4= q'(t) where t is linear, can be effectively converted to one-way tree automata accepting 
the same language. 

This result actually allows us to conclude that an automaton containing pop clauses, epsilon 
clauses, intersection clauses and general push clauses can be effectively converted to an equivalent 
one-way tree automaton. However since we have been unable to find a proof of this result in full 
generality in print, we outline here a simple translation based on Lemma 6. 

Theorem 2 An automaton containing pop clauses, epsilon clauses, intersection clauses and general 
push clauses can be effectively converted to a one-way tree automaton accepting the same language. 

Proof: Let A be an automaton containing pop clauses, epsilon clauses, intersection clauses and 
general push clauses. Without loss of generality we can assume that in the general push clauses 


q(xi) 4= p(f(x i, .. .,x n )) A qi(x h ) A ... A q k (x ik ) 
every Xj occurs in the set {.ly,,..., x lk }. If not we can replace this clause by the clause 

q(xi) 4=p(f(x i,... ,x n )) Aqi(x h ) A ... A q k (x ik ) A q a ii(xj) 

where q a ii is a new state which accepts all terms. Such a translation preserves the language accepted 
by the automaton. Hence we can now assume that all the general push clauses in A arc of the form 


q(xi) 4= p{f{x 1 ,.. .,x n )) A Bffxi) A ... A B n (x n ) 
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where for 1 < i < n, B^ is a non-empty set of states, and given any set B = {p i,.... p rn } we write 
B(x) as an abbreviation for the conjunction p \ (x) A ... A p m (x). Now we define a new automaton 
B as follows. Let Q be the set of states in A. B has all the states of Q, as well as states B for each 
0 / 8 C Q, and states qc\ i and qc;i for each general push clause C in A. B has all the pop clauses, 
epsilon clauses and intersection clauses of A. For each 0 ^ B = {p i,..., p rn } C Q, B has the clause 

B{x) <= B{x) 

Intuitively, the state B is intended to accept the intersection of the languages accepted at states 
pi,.... p m . Besides, for each general push clause 


C = q(xi ) <t= p{f{x i,.. .,x n )) A Bi(xi) A ... A B n (x n ) 


in A, B has the clauses 


■ ■ -,x n )) 4= Bi{xi) A ... A B n (x n ) 

qc,2( x ) 4 = qc,i(x) Ap(x) 

q(xi ) 4=?t7 )2 (/(xi,...,a; n )) 

B does not have any other clause. Then we can see that for every state q £ Q, q accepts the same 
language in A as in B. In particular, letting the final state of B to be the same as the final state of A, 
A and B accept the same language. Note that B only has pop clauses, epsilon clauses, intersection 
clauses and general push clauses of the restricted form qi(xi) -4= q2(f(x t,..., x n )) where 1 < i < n 
and x i...., x n arc mutually distinct variables. The required result then follows from Lemma 6. □ 

General two-way free automata arc sometimes more convenient to work with because of the fact 
that they allow transition rules to destruct terms. In particular - we will see their utility in modeling of 
cryptographic protocols in Chapter 5. 

Finally we remark that the qualifier “general” have been used above because later when we study 
equational valiants of these automata, we will need to consider some restricted subclasses of these 
automata which will be more relevant for our purposes. 


2.5 Logic with Equality 

We now consider how to deal with equality in first order logic. There are several more or less 
equivalent ways to deal with equality in first order logic. Here we have chosen to deal with equality 
using axioms of equality. Given a signature E and a set P of predicate symbols, we define the theory 
of equality Eqs^p to consist of the formulas 

- x = x (Reflexivity) 

- x = y => y = x (Symmetry) 

- x = y/\y = z^x = z (Transitivity) 

- Ai <i<n Xi = yi^r f(x 1 , ...,x n ) = f(y 1 , ...,y n ) for every / G E of arity n (Congruence 
axiom for function symbols) 

~ Al <i<n Xi = yif\P(x\ ,..., x n )^P(yi ,..., y n ) for every PgP,P of ai - ity n (Congruence 

axiom for predicate symbols) 

We simply write Eq when the signature and the set of predicates involved is clear - from context. 
An equational interpretation is an interpretation I such that I |= Eq. Given an equational theory E, 
an E -interpretation is an equational interpretation such that I |= E. We say that I is an E -model of S, 
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written I |=e S, iff I is an E-interpretation such that I |= S. S' is a semantic E-consequence of S, 
written S \=e S', iff every E-model of S is an E-model of S'. 

Since our principal motivation is to study equational valiants of tree automata, we need to deal 
with logic programs in the presence of equality. Also observe that for our purposes, the predicates 
of logic represent states of automata, we only need to consider logic programs in which only unary 
predicates occur. In particular the equality symbol does not occur in these logic programs. Consider 
a logic program V in which the equality symbol = does not occur, and let E be an equational theory. 
Note that the formulas in E and Eq arc all definite clauses. Hence V U E U Eq can be considered as a 
logic program (in which the equality symbol occurs). Hence the logic program PUEU Eq has a least 
Herbrand model H r p jeje (/: (For the purposes of defining this least Herbrand model, the A symbol is 
treated just like any other predicate.) 

Now we inductively define a Herbrand interpretation Hpp using the following two rules : 

- If A <= A\ A ... A n £ V and for some ground substitution a, A i<7,.... A n a £ Hp.p then 
Ao £ Hp s.- 

- If P(s i,..., s n ) £ HppL and Sj =e U for 1 < i < n then P(t\, ..., t n ) £ H-pjg. 

Observe that by definition V U E U Eq \= S iff V |=e S. 

Lemma 7 (Equational Herbrand Models) We have the following results : 

(i) far s, t £ T(E), s = E t iff |=e s = t ijfV |= E s = t. 

(H) HpuEuEq = H-p : e U {s A t | s, t £ T(E), s =e t}. 

For this reason, we can think of Hp^ as the least Herbrand model of V modulo the equational 
theory E. 
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Chapitre 3 

Automates d’arbres bidirectionnels 
equationnels 

(Two-Way Equational Tree Automata) 


Nous introduisons la notion d’automate d’arbres (resp. alternant, bidirectionnel) equationnel sim- 
plement comrne un automate d’arbres (resp. alternant, bidirectionnel), mais cette fois-ci interprets 
dans une theorie equationnelle donnee. Nous nous basons pour cela sur la notion de modele de Her- 
brand equationnel du dernier chapitre. Une typologie des differents formats de clauses dont nous avons 
besoin pour decrire ces automates est etablie : les automates d’arbres sont des ensembles de clauses 
pop , epsilon, intersection (dans le cas d’automates alternants), push litres et -{--push generates (dans 
le cas d’automates bidirectionnels). 

Nous examinons au passage plus en detail le cas des theories equationnelles AC, ACU, ACUI, 
ACUX, ACUX n , ACUM, ACUO, et analysons en particulier la forme des termes modulo ces theo¬ 
ries. Cette analyse sera fondamentale dans les algorithmes de reduction presentes dans le reste de cette 
these. 

Nous terminons ce chapitre par une comparaison detaillee entre notre approche et des approches 
similaires proposees dans la litterature, et principalement les automates modulo AC de Lugiez et les 
E-automates d'Ohsaki. 
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Having studied general two-way tree automata in the form of logic programs, and having seen 
how to deal with logic programs in the presence of an equational theory, we arc now well equipped to 
define equational valiants of general two-way tree automata. 

3.1 Equational Tree Automata as Logic Programs Modulo Equational 
Theories 

Fix a signature E of function symbols, each coming with a fixed arity, and let E be an equational 
theory, inducing the relation =e on the terms built from E, as defined in Chapter 1. 

Recall that a definite clause (on unary predicates) is an implication of the form : 

P(t) <= Pi(ti) A ... A P n {t n ) (3.1) 

where P, Pi ,..., P n are unary predicates and are terms built from E and variables. We 

consider only definite clauses with unary predicates because that is all that we need for defining our 
automata. We call P(t ) the head of the clause, and the list of atoms P\(ti ),..., P n (t n ) to be the body 
or tad of the clause. Given a finite set A of such definite clauses we define derivations of ground 
atoms using the following two rules : 


P 1 {t 1 a)...P n (t n cr) 

P(ta) 


{AUTO) 


(if a is a ground substitution and P(t) A= P\(t\ ) A ... A P n (t n ) A) 


P(s) 

P(t) 


(E) 


(if s = E t) 

Rule (A UTO ) allows us to derive a new atom from other atoms using an automata clause. Sometimes 
we use the notation 


Pi(ti<j)...P n (t n a) 

P{ta) 


( P(t ) <= Pi(h) A ... A P n (t n )) 


to make explicit the clause used. Rule (E) allows us to derive a new atom from an old one using 
equational rewriting. Thus a derivation is a tree-like structure, which should not be confused with the 
frees which arc the terms built from E. If there is a derivation with atom P(t) as conclusion then we 
say that P(t) is derivable in A/E. Recall that from the discussion in Chapter 1, the set of derivable 
atoms is exactly the least Herbrand model of A modulo the theory E. Hence we have the result : 


Lemma 8 For any set of definite clauses A, equational theory E and ground atom P(t), P(t) is 
derivable in A/E iff A |=e P{t) iff P(t) G H y ^e- 

The connection of definite clauses with automata is as described in Chapter 1 for the non-equational 
case : predicates arc states, finite sets of definite clauses arc automata, and an atom P(t) is derivable 
in _4/E , iff the term t is accepted at state P in the automaton A. The derivations of atoms arc the 
equivalent of the runs in classical free automata. Of course as in Chapter 1 we will be interested in 
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automata in which the format of the definite clauses is sufficiently restricted so as to be able to prove 
any good properties. 

The language Cp{A/E) is the set of terms t such that P(t) is derivable in A/E. When E is 
the empty theory, we call it Cp{A). If in addition some state Pf is specified as being final then the 
language accepted by A is C{A/E) = Cp f (A/ E). Also, given a language C and an equational theory 
E, the E -closure of C is defined as E(X) = {t | 3s e C ■ t =e s}. A set C of terms is said to be 
E -closed iff E(£) = C. Observe that we have chosen to define languages accepted by equational free 
automata as sets of terms. Another equivalent approach is to let them accept equivalence classes of 
terms modulo an equational theory. 

The {AUTO) and (E) rules can be combined to get the following derived rule : 


Pi(si) ••• P n (s n ) 
P{s) 


{AUTO/ E) 


if some P{t ) Pi{t\) A ... A P n (t n ) £ A and a is a ground substitution such that s =e tc r and for 

1 < i < n. Si = E t t a) 


To make explicit the clause used the above step will also be written as 

Pi(si)... P n {s n ) , . . . , 

--- {P{t) <= Plih) A ... A P n {t n )/E) 

P(s) 

Adding this new rule to the rules {AUTO) and (E) does not allow us to derive any new atoms. 
Also it is easy to see that this new derived rule subsumes the previous two clauses. That is : 

Observation 1 If P{t) is derivable in A/E then it has a derivation which uses only rules of the form 
P{t) <t= Pi(ti) A ... A P n {t n )/E for clauses P{t) <t= Pi{t\) A ... A P n (t n ) £ A. 

We also introduce some notation. We will use the notation 


P{t) 

to denote some derivation of P{t). If we want to give this derivation a name 7r then we use the 
notation 


7r 

m 

A subderivation ir' of a derivation 7r is precisely a subtree of i r. We allow 7r' to be the same as tv. 
(The notion of subtree is well defined since as we remarked above, our derivations arc trees.) Similarly 
the notion of derivation tt i being a child of derivation 7T2 (or tt^ being the parent of 7Ti) is well defined. 
We write 


Ttl ttn 


7r = Pl(ti) ... P n (t n ) 

m 


(-S'/E) 


to mean that 7r is a derivation of P{t), that the derivations tt\, ..., 7r n of P\ (t\ ),..., P n {t n ) res¬ 
pectively arc the children of n and that the rule used at the root node of tt is C/E for some C G S. 
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C is also called the last clause used by ir. Similar remarks hold when instead of writing (S'/IE) in the 
above diagram, we write just (5) or (C) for some clause C. 

We write 




TT = Pl(tl) ••• Pn(tn ) 

m 


(S/E) 


to mean that it is a derivation of Pit), that the derivations tt\, ..., ir r of P\ (t\ ), ..., P n (t n ) res¬ 
pectively arc subderivations of ir and that outside the subderivations 7Ti,..., ir n , the only clauses used 
(probably none) arc of the form C/E for some C € S. Similar remarks hold when in the diagram 
above we write just (5) instead of (5/IE). In both diagrams above, we may also write some subderi¬ 
vation using the nameless notation, i.e. we may write 


Pi{ti) 

instead of 




Pi(ti) 


3.2 Associative-Commutative Theories 


Having seen what equational tree automata arc for an arbitrary equational theory, in this section we 
have a look at some of the specific equational theories that we arc going to deal with in this thesis. We 
arc primarily interested in the theory of associativity and commutativity, and their valiants obtained 
by additional axioms. Since we arc interested in associative-commutative theories, we assume that X 
always contains a binary symbol +. The axioms of associativity and commutativity arc 
(A) x + (y + z) = (x + y) + z (associativity) 

(C) x + y = y + x (commutativity) 

Sometimes we also include a zero-ary symbol 0 with the axiom 
(U) x + 0 = x (unit) 
which says that 0 is a unit of +. 

We arc also interested in the equational theories obtained by adding one of the following axioms 
to the theory of associativity and commutativity. 

(X) x + x = 0 (axiom for exclusive-or) 

(X n ) x + ... + ,t = 0 (axiom for generalized xor) (n > 2) 

n times 


(ID) —{x + y) = (—x) + (— y), — (— x) = x and —0 = 0 (axioms for distributive but not 
cancellative minus symbol) 

(M) x + (—x) = 0 (axiom for cancellative minus symbol) 

(I) x + x = x (idempotence) 

where if the axioms M or D arc considered then we assume that X additionally contains a unary 
symbol —. 

We name a theory by the names of its axioms ; e.g., ACU is the theory of an associative-commutative 
symbol with unit, ACUX is the theory of exclusive-or, ACUM is the theory of Abelian groups. Note 
that the distributivity axioms B arc implied by ACUM, so ACUO is a (strictly) weaker theory than 
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ACUM. The D axioms should not be confused with the distributivity axioms for a binary symbol x 
over + which arc considered sometimes in the context of AC theories. The theories dealt with in this 
thesis are AC, ACU, ACUX, ACUX n , ACUD, ACUM and ACUI. Observe that this includes the 
theory of associativity-commutativity (with unit), the theory of exclusive-or and the theory of Abelian 
groups, which arc of particular importance from the point of view of verification of cryptographic 
protocols. 

The symbols +. —. 0 arc called equational symbols while the symbols in Xy = X \ {+, —, 0}, are 
called free symbols. Free symbols of zero arity will be called constants. Terms of the form f(t i,..., t n ) 
where / is free arc called functional terms. To avoid confusion we assume that the symbols — and 
0 arc present in the signature only when we arc working with an equational theory in which these 
symbols occur. For example, when working with ACUX automata, we assume that — X since the 
symbol — does not occur in any of the axioms A, C, U and X. When working with the theory AC, we 
assume that 0, — ^ X. 

Assuming that the signature + £ X, we use the notation t\ + + • • • + t n for n > 1 to denote 
the term ((... (A + £ 2 ) + • • •) + t n ) £ T(X, X). (For n = 1 it is just the term t\.) The choice of 
parentheses above is arbitrary, and any other choice would lead to an equivalent term modulo AC. This 
notation would be used only in a context where the choice of parentheses does not matter. Assuming 
that 0 £ X, the notation t\ + ... + t n for n = 0 denotes the term 0. II'0 ^ X then this notation is 
undefined. The notation YH.=\ U * s a ls° used to denote the term t\ + ... + t n . The notation nt denotes 
the term t+... + t. Observe that we have already used such notation for describing the equation X n 

-- v - y 

n times 

in the list of equations above. 

3.2.1 Properties of Terms Modulo AC Theories 

We now discuss some basic properties of terms modulo the above theories. We are interested in 
some canonical forms of terms modulo various theories, as well as conditions on when two terns arc 
equivalent wrt a certain theory. 

Observation 2 (AC Terms) Let + £ X. 

(i) For any t £ T(X) we have terms £ T(X) for some n > 1 such thatt =ac A + - • -+t n 

and the symbol + does not occur at the head of any ti. In particular if —, 0 f X then each ti is 
functional. 

(ii) If s\ + ... + s n =ac ti + ... + t m and no Sj or tj has the symbol + at the root, then we have 
n = m and for some permutation a of {1,... ,n} we have Si =ac tali) f or 1 < i < n. 

Observation 3 (ACU Terms) Let + , 0 £ X. 

(i) For any t £ T(X) we have terms ti,..., t n £ T(X)/or some n > 0 such t =actj A + • • • + t n 
and the symbols + and 0 do not occur at the head of any ti. In particular if-fiE then each ti 
is functional. 

(ii) If s\ + ... + s n =acu + ... + t m and no Si or tj has the symbols + or 0 at the root, then we 
have n = m and for some permutation o of {1,... ,n} we have Si =acu t a uy 

Observations 2 and 3 are an alternative approach to defining the so called ‘flattened’ representation 
of a term modulo AC (or ACU). In that approach, terms of the form t\ + ... + t n arc written as 
f(t \,..., t n ) where / has variable arity and the order of the children of a node labeled with / is 
irrelevant. 
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We use the notation s — t. to denote the term s + ( 

For any p, we define the partial order < on N p as 
We write o\ < 02 iff o\ < 02 and 1J \ f ;y 2 - 

Let V denote the rewriting system {— (x+y) —> (- 
Then we have the following result : 

Observation 4 (ACUO Terms) Let + , —, 0 G S. 

(i) -^d/ac is terminating. 

(ii) —>£>/ac / * v locally confluent. Hence from (i) and Lemma 4, —► x>/AC I s confluent. 

(iii) If [f]AC I s normal wrt —>x>/ac then we l iave terms s 1 ,..., s m , t\,..., t n for some m,n > 0 
such that each Sj and each tj is functional and we have t =ac si + ... + s m — t\ — ... — t n , 
and iff is any strict subterm of some s* or tj then [t^AC is normal. 

(iv) If s =acub t then we have some functional terms si, yS m , ti,..., t n for some m,n > 0 such 

that s =acub t =acub «i + ... + s m — t\ — ... — t n , and [si + ... + s m — t\ — ... — £„]ac 
is a normal form of both [s]ac anc l [^AC- 

Proof: We define a measure v on terms as v(t) = (u\ it), 02 (f)) where 

- u\ (t) is numbers of pairs (p. q) of positions in t such that p < pre f <L the symbol — occurs at p 
and for all positions p < pre f r < pre f Q . one of the symbols +, — of 0 occurs at r. 

- 02 (t ) is the number of occurrences of the symbol 0 in t. 

We first observe that if s =ac t then o(s) = off). Secondly if s t then oft) < o(s). Hence if 
s — > x >/AC then off) < o(s). Since < is well founded on N 2 , this implies property (i). Property (ii) 
is proved by case analysis on all rewriting steps possible from a term. Property (iii) is proved using 
Observation 3 and case analysis on all possible structures of the term t. 

To prove property (iv) define relation ~ on equivalence classes modulo AC as [s]ac ~ [t ]ac 
iff s =acub t. Then ~ is the reflexive transitive closure of —>x>/ac- Now assume that s =acub t. 
Then we have [s]ac ~ [f]AC- From Lemma 3 we have some f such that [s]ac ~^t >/ac [^]ac an d 
[t ]AC ->v/AC Mac. We have [s] A c ~ Mac ~ Wag, i.e. s =acub f =acub t. Using property (i) let 
M]ac be in normal form such that [f] AC M]ac- We have f =agub t". Using property (iii) 

we have functional terms si,..., s m , t\,..., t n for some m,n > 0 such that t"x =acub t =agub 
si + ... + s m — t\ — ... — t n . □ 

Let X denote the rewriting system {x + x —> 0, x + 0 —^ x}. 

Observation 5 (ACUX Terms) Let +, 0 G S and — f E. 

(i) — *x /AC is terminating. 

(ii) — j A £ is locally confluent. Hence from (i) and Lemma 4. — j A ^ is confluent. 

(iii) If [s]ac ~^*x/ A c Wag then for some functional terms s\,... ,s n ,ti,... ,t n , , u p . v p 

( n,p > 0) we have s =acu «i + • • • + s n + u\ + v\ + ... + u p + v p , t =acu h + ... + t n , 
Si =acux tifor 1 < i < n and =acux Vifor 1 < i < p. 

(iv) If s =ACUX t then we have some functional terms si,,.., s n , ti,..., t n , ui, v\, ..., u p , v p , u[, 
vf ..., u' q ,v' q (n,p, q > 0) such that s = ACUsi + ... + s n + u\ + v\ + ... + u p + v p , 
t =ACU h + ... + t n + u[ + v[ + ... + u q + v q , Si =ACUX tifor 1 < i < n, m =acux Vifor 
1 < i < p and v! i =ACUX vifor 1 < i < q. 


-t). 

: o\ < 02 iff o\ ft) < 02 ( f) for each 1 < i < p. 
-x) + (—y), —(—x) — > x , —0 —> 0, x+0 —* x}. 
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Proof: Property (i) follows from the fact that if s =ac t then s and t have the same size, while if 
s —>x t then the size of t is strictly lesser than the size of s. Property (ii) is shown by a case analysis 
on all rewriting steps possible from a term t. Property (iii) is proved by induction on the length of 
rewrite derivations. 

To prove property (iv) define relation ~ on equivalence classes modulo AC as [s]ac ~ Mac 
iff s =acux t. Then ~ is the reflexive transitive closure of — ¥ x/AC- Now assume that s =acux t. 
Then we have [s]ac ~ Mac- From Lemma 3 we have some t' such that [s]ac ~^*x/ac M]ac and 
Mac Mac- We have [s]ac ~ M]ac ~ Mac, i-e- s =acux t' =acux t. Using property (i) 

let M']ac be normal form of M]ac- We have t' =acux t". Let t" =acu t[ + ...+ t' n for some n > 0 
where each t' r is functional. Since [s]ac ~^*x/ac MIac, using property (iii) we have functional terms 
si,... ,s n ,ui,vi,... ,Up,v p for some p > 0 such that s =acu si + .. . + s n + ui + vi +.. . + u p + v p . 
Si =acux t'i for 1 < i < n and iq =acux v i for 1 < i < p. Similarly we have functional terms 
h,..., t n , u[, v[,..., u' q , v' q for some q > 0 such that t. =acu h + ... + t n + u[ +v[ + ... + u' q + v' q , 
U =acux M for 1 < i < n and u • =acux v[ for 1 < i < q. Hence we also have Si =acux U for 
1 < i < n. □ 

This generalizes for the theory AQLJX n for any n > 2. For this we define the rewriting system 
X n = { a; + . . . + x —* 0, x + 0 —> x}. We have 

n times 

Observation 6 (ACUX„ Terms) Let +, 0 £ S, — ^ S and n > 2. 

(i) —>x n /AC is terminating. 

(H) ~^x n /A.C i s locally confluent. Hence from (i) and Lemma 4, —>x n /AC' s confluent. 

(iii) If [s]ac —>x /AC Mac then for some functional terms si,..., s m , t \,..., t m ,u \,..., n”,..., 
Up,..., Up ( m,p > 0) we have s =acu si + ... + s m + u\ + ■ ■ ■ + u™ + ... + u p + ... + u p , 

t =acu h + ... + t m , Si =acux 1% for 1 < i < m and u\ =acux u* for 1 < i < p, 1 < j, k < 
n. 

(iv) If s =ACUX„ t then we have some functional terms s m , t\,..., t m , u \,, u p , 

u'i u'fl,..., u q u'™ (m, p,q> 0) such that s =acu Si + ... + s m + u\ + 

. . . + u'i + . . . + Up + . . . + Up, t =ACU £]. + ••• + t m + U*i + . . . + < + . . . + u' q + . . . + u'q, 

Si =acux„ tifor 1 < i < m, u\ =ACUX n u^ for 1 < i < p, 1 < j, k < n and u? =acux„ uf 
for 1 < i < q, 1 < j, k < n. 

Let A4 denote the rewriting system {x + (— x) —> 0, x + 0 —► x}. 

Observation 7 (ACUM Terms) Let +, 0, — G S. 

(i) —^At/AC Is terminating. 

(ii) -^m/AC is locally confluent. Hence from (i) and Lemma 4, -^m/AC is confluent. 

(iii) If [s]ac ~^*x /ac Mac then for some functional terms si,..., s n , ..., s' m , t\,..., t n , t^,..., 
f m , ui,vi,..,, Up, v p (n, m,p > 0) we have s =acub si + ... + Sn--si------Sm + w i- 

v\ + ... + Up — v p , t =acud h + ... + t n - t[ - ... - t' m , Si =acum L for 1 < i < n, 
s'i =ACUM t'i for 1 < i < m and m =acum Vifor 1 < i < p. 

(iv) If s =acum t then we have some functional terms si,..., s n , s'^,..., s' m , t\,..., t n , t^,..., t' m , 

Ui,vi,..., Up, Vp, u\, v[,..., u' q , v' q (n, m,p,q> 0) such that s =ACUB Si + ... + s n - - 

. . ,-s' m + Ul-Vl + . . . + Up-Vp, t =ACUB h + . . , + tn-t'i-. . .-t' m + u' 1 -v' 1 + . . .+u' q -V q , 
Si =ACUM tifor 1 <i <n,Ui =acum v,Jor 1 < i < p and if =acum v[for 1 < i < q. 
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Proof: Similar to Observation 5. 

Let X denote the rewriting system {x + x —> x, x + 0 —> x}. 

Observation 8 (ACUI Terms) Let +, 0 £ S and — (fE. 

(i) —*t/ac is terminating. 

(ii) —i► j/ac ' s locally confluent. Hence from (i) and Lemma 4, —*x/hC I s confluent. 

(7/7) If [s]ac —^x/AC M ac th en f or some functional terms s},..., sf 1 ,..., s*, ■ - •, Sn" (n > 0 and 
Pi > I for 1 < i < n) we have s =actj s} + . . .As? 1 + •. . + s^+.. . + s^ n , t =acu «! + • • - + Sn 
and sj =acuh sf for 1 < i < n, 1 < j, k < 

(iv) If s =ACUI t then we have some functional terms s},..., s ^ 1 ,..., s,\,..., Sn n , t \,..., tf 1 ,..., 
, iff 1 (n > 0 and pi, qi > l for 1 < i < n) such that s =acu s} + ... + -sf 1 + ... + + 

• . . + fin", t =ACU t\ + . . . + + . . . + tl + . . . + th n , s{ =ACUI ti f or 1 < J < 

Pi, 1 < k < qi. 

Proof: Similar to Observation 5. □ 


3.3 Tree Automata Clauses 

Let us now look at the special forms of definite clauses (3.1) that we need for our automata. 

3.3.1 Clauses of One-Way Equational Tree Automata 

We have already met the following two kinds of clauses in Chapter 1 : 


P(f(xi,—,x n )) <= Pi(xi) A ... A P n (x n ) pop clause (3.2) 

P(x) <= P\{x) epsilon clause (3.3) 

In clause 3.2, the variables x\,.... x n arc distinct. We define one-way equational tree automata to 
consist of pop clauses and epsilon clauses (of course, we also specify the specific equational theory 
that we want the automata to work with). 

Depending on whether / is a free symbol, a constant symbol or one of the equational symbols, 
the pop clauses 3.2 can be classified into the following types : 


P(f(x I,...,x n )) 4= Pi(xi) A ... A P n (x n ),f being free 

P{a),a being a constant 
p{x + y) 4= P\{x) A P 2 (y) 
P(-x) 4= Q(x) 

P( 0) 


free pop clause 

(3.4) 

base clause 

(3.5) 

+-pop clause 

(3.6) 

minus clause 

(3.7) 

zero clause 

(3.8) 


Note that clauses 3.5 are a special case of clauses 3.4. 
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3.3.2 Clauses of Alternating Automata 

Next we introduce intersection clauses : 

P(x) -4= P\ (x) A P>(x') intersection clause (3.9) 

An alternating automaton is a set of intersection clauses and one-way automata clauses. The above 
clause can be read as “if term t is accepted at each of the states P\ and If then t is accepted at state 
P”. 


3.3.3 Clauses of Two-Way Automata 

General two-way equational tree automata arc sets of clauses of one-way equational tree automata 
as well as of clauses of the form 


P{xC) -4= Q{f{x i, ...,x n )) A Pi (x'jj) A ... A P k {x ik ), general push clause (3.10) 

1 < i,ii, ...,i k < n 


where the variables x±, ...,x n arc distinct. 

Depending upon whether the symbol / in clause (3.10) is free or the symbol +, it will be called a 
general free push clause or a general +-push clause : 


P(xi) 4= Q(f(x i, ..., x n )) A Pi(x h ) A ... A P k (xi k ), general free push clause (3.11) 

/ being free , 1 < i, i \,..., i k < n 

P(xi) -4= Q(x i + xf) A Pi(xi 1 ) A ... A P k (x ik ), general +-push clause (3.12) 

1 ' i, i \,..., i k ' 2 

As remarked before, the use of the term ‘general’ above is intentional : we will see that in the 
equational case, the general push clauses arc problematic and easily lead to undecidability. This leads 
us to study some restricted forms of general push clauses to keep decidability. We study the following 
three forms of clauses : 


P(xi ) <= Q(f(x 1 , ...,x n )) A Pi(xq) A ... A P k (x ik ), 
/being free, 1 < h,...,i k <n,ie {1 \ {h,...,i k } 

free push clause 

(3.13) 

P(x) 4= Pi (re + y) A P 2 {y) 

+-push clause 

(3.14) 

P(x) 4= Q(x + y) 

standard +-push clause 

(3.15) 

Note that we don’t need to study push clauses involving the - 

symbol, i.e. clauses of the form 


P(x) 4= P(—x). This is because this clause is equivalent to clause 3.7 if the equational theory that 
we arc dealing with contains either the axioms ACUM, or the axiom D. This condition is satisfied 
by all the equational theories involving the — symbol that we deal with. A two-way equational tree 
automaton (to be distinguished from general two-way equational tree automaton) is a set of free push 
clauses and one-way equational tree automata clauses. We define constant-only automata to be those 
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one-way automata for which the all free symbols in the signature arc constants (so that all free pop 
clauses are base clauses). 

Observe that general two-way clauses arc more expressive than intersection clauses. An inter¬ 
section clause P(x) A= P\(x) A P-zix) can be translated to the clauses Q(f(x)) A= Pi(x) and 
P(x) <= Q(f(x)) A P 2 {x) for a free unary / and fresh predicate Q. Hence we have the following 
result (we have restricted ourselves to the theory ACU; this is also we arc going to use) : 

Observation 9 If automaton A consists only of intersection clauses and clauses of general two- 
way automata, then we can find a general two-way automaton A! such that for every state P in 
A, C P (A! /ACU) = £ P (A/ACU). 

However this translation required a free unary symbol. We also sometimes need to restrict our 
signature such that all free symbols arc constants. In such a case we can translate the intersection 
clause P(x) <= P\(x) A PAx) as the general +-push clause P(x) <= Q(x + y) A Q a {y ) A Piix) and 
the clauses P a (a) and Q(x + y) P\(x) A P a (y) where a is some constant in the signature, and Q a 
is a fresh predicate. As a result : 

Observation 10 If automaton A consists only of intersection clauses and clauses of general two- 
way automata and all free symbols in the signature are constants, then we can find a general two-way 
automaton A! on the same signature such that for every state P in A, C p(A / /ACU) = £p(*4/ACU). 

Given a general two-way automaton A, we define A eq (the equational paid of A) to be the set of 
+-pop clauses, minus clauses, zero clauses and general +-push clauses in A. The remaining paid is 
called A f re e (the free or non-equational paid of A). Hence A free contains the free pop clauses (and 
base clauses) and general free push clauses of A. We also define A on e-way (the one-way paid of A) 
to be the set of all pop clauses and epsilon clauses in A. 

Finally we will also sometimes use clauses of other form which can easily be expanded into 
equivalent automata clauses. For example the clause 

P(/(0) + a) 

can be expanded to the clauses 

Po(0) Pa(a) Pf(f(x)) <= P 0 (x) P(x + y) *= P f (x) A P a (y) 

where Po,P a , Pf arc fresh states. In general any clause of the form P(t) for some ground term t 
can be expanded to automata clauses. Clause 

P(x + t) Q(x) 

can be translated to 


P(x + y) 4= Q(x) A Qtif) Q t (t ) 

where Q t is a fresh state. Clause 

P{f(x + y)) <= Q(g(x)) A R(y) 

can be translated to 
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Qg(x) 4= Q(g(x)) Q+{x + y) 4= Q g (x) A R(y) P(f(x)) 4= Q+(x) 

where Q n . Q + are fresh predicates. For ground terms s and t, the clause 

P{f(x + s)) 4= Q(g(x + t)) 

can be translated to 

Q g (x) 4= Q{g{x)) Q t (t ) Q+(x) 4= Q g {x + y) A Q t (t) 

Q s (s) P(f (x + y)) <= Q+(x) A Q s (y) 

where Q g ,Qt , Q+, Qs are fresh states. 

3.4 Other Formalisms of Equational Tree Automata 

We end this chapter with a discussion on some other formalisms si mi lar to our equational tree auto¬ 
mata. Tree automata modulo AC have been considered several times [Lug98, Lug03, DZL03, OhsOl, 
OT02], though not all these notions coincide. The automata of [Lug98] have additional sort restric¬ 
tions, but are also extended with a rich constraints language. Recent work by Lugiez [Lug03] extends 
it to include equality and counting constraints, providing a rich framework that includes most known 
proposals for one-way AC tree automata with decidable emptiness problems. This framework is ho¬ 
wever incomparable to ours : while Lugiez’s automata accommodate equality tests naturally, we shall 
see that our two-way automata cannot avoid undecidability in the presence of equality constraints. 
These automata, also called multitree automata can also be thought of as extensions of our one-way 
AC (or ACU) automata with a rich set of constraints. The multitree automata also enjoy the good 
properties of classical tree automata : they are closed under Boolean operations and emptiness is de¬ 
cidable. [DZL03] presents sheaves automata which are a tailored version of multitree automata and 
are aimed at manipulation of XML Schemas. 

These extensions of automata are motivated more by adding constraints to tree automata, instead 
of considering equational tree automata for arbitrary equational theories. It happens that one-way 
ACU automata can easily be thought of as tree automata with such a constraints language. 

On the other hand Ohsaki et. al [OhsOl, OT02, OST03] consider a larger framework of E tree 
automata, where E is an equational theory. The E tree automata of Ohsaki are essentially rewriting 
systems, together with an equational theory E. We have already seen in Chapter 2 how one-way tree 
automata can be thought of as rewriting systems. Whereas we have chosen to consider tree automata 
as logic programs, so that equational tree automata are logic programs modulo an equational tree 
theory, Ohsaki adopts viewpoint of the tree automata as rewriting systems so that his equational tree 
automata are rewriting systems modulo equational theories. The regular tree automata of Ohsaki 
consist of rewriting rules of the form 


f(q 1 ,...,q n ) -> q 

(The clauses q —> q' can also be added without increasing expressiveness.) In the non-equational 
case, we have seen that these are exactly the clauses of one-way tree automata. Hence the regular E 
automata of Ohsaki can be thought of as the counterpart of our one-way equational tree automata. 
However this analogy does not go too far in the equational case. If we restrict ourselves to linear 
theories (like A, C, AC, ACU), then Ohsaki’s regular E tree automata coincide with our one-way E 
tree automata. This follows from the results that firstly, if E is linear Ohsaki’s regular E tree automata 
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accept exactly the E-closure of the corresponding non-equational tree automata, and secondly as we 
show in Lemma 19 (Chapter 7), our one-way E tree automata accept exactly the E-closure of the 
corresponding non-equational tree automata. This in particular means that for linear E, emptiness of 
regular E tree automata is decidable. 

However this correspondence between the two notions of equational tree automata does not hold 
for non-linear theories. While the Lemma 19 holds for non-linear theories also, the corresponding 
result for the regular tree automata of Ohsaki does not hold in general for non-linear theories (like 
ACUX, ACUM, ACUI.) Here is a counter-example : 

Example 4 In Ohsaki’s equational tree automata, with a single transition rule q\ + q\ > q and with 
the theory ACUX, we have 0 =ACUX Qi + </i —> q, meaning 0 is accepted at q. In our case, the 
corresponding one-way automaton has q(x + y) qi(x) A (^(y) os the only clause. Modulo the 
theory ACUX (or modulo any other theory) no term is accepted at any of the two states. If we denote 
Ohsaki’s automata by Aohsaki an d our automata by A OU r, an <d we let q be the final state in both 
automata, then we have 

£(Aohsaki/ ACUX) = ACUX({0}) + ACUX(£(A O hW0)) = 0 

whereas 


^(Awr/ACUX) = ACUX(£(^ our /0)) = 0 
where the empty theory is denoted as 0. 

Besides Ohsaki also defines “E Lee automata” (not to be confused with our usage of the same 
expression) which extend regular E automata by rewriting rules of the form 


f(pi,...,q n ) -> f{qi,...,q n ) 

where / is a functional symbol and pi,qf s arc states. As far as the AC case is concerned, it 
is remarked in [OhsOl] that Ohsaki’s (non-regular) AC tree automata arc strictly more expressive 
than regular AC tree automata. This means that Ohsaki’s non-regular AC tree automata arc strictly 
more expressive than our one-way AC tree automata. On the other hand our general two way AC 
tree automata have been shown to recognize all recursively enumerable sets in Chapter 6, whereas 
emptiness of Ohsaki’s non-regular AC tree automata is decidable. This means that our general two- 
way AC tree automata arc strictly more expressive than Ohsaki’s AC tree automata. 

For arbitrary E we do not know the relation between our automata and Ohsaki’s automata, and 
the two notions appeal - rather dissimilar. One of the key differences is that while we extend the tra¬ 
ditional correspondence between tree automata and logic programs from the non-equational case to 
the equational case, Ohaski’s automata do not do so, as they mix equality on terms with equality on 
states, as illustrated by the above example. We have made this choice keeping in mind our goal of 
modeling cryptographic protocols, where the states (predicates) represent the set of messages known 
to an intruder, and hence they cannot be mixed with the terms which represent messages. 

Note that while all the papers cited above deal with one-way equational free automata (although 
some of them are incomparable with our two-way automata) our work seems to be the first one to 
deal with equational valiants of two-way free automata. As we will see in this thesis, unlike in the 
non-equational case where all classes of alternating two-way automata have the same expressiveness 
as one-way tree automata, the various subclasses two-way equational tree automata exhibit a wide 
range of behavior from undecidability and encoding of all recursively enumerable sets to translation 
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into one-way equational tree automata. As far as the one-way case is concerned, most of the previous 
work has been concerned with the theory AC ([OST03] deals with A tree automata), the various 
extensions of the AC theory like ACUX, ACUM, ACUI that we consider in this thesis have not 
been considered before in the context of equational tree automata. For these reasons, this work can be 
regarded as the first general treatment of one-way and two-way equational tree automata for AC-like 
theories. 

While we consider tree automata as logic programs and extend them by adding equational theo¬ 
ries, there has also been much work on equational logic programs [Han94] as such, which arc logic 
programs in which the special equality predicate also appeal's, so that the equational theory can be co¬ 
ded in the logic program itself. However our equational tree automata differ in that the equality symbol 
does not occur in the logic programs (in fact we only consider logic programs with unary predicates), 
and we separately consider an equational theory in which the equality predicate occurs. Moreover 
we are not aware of any work on finding decision procedures or closure properties for subclasses of 
equational logic programs, especially for the ones corresponding to our automata. 

Finally we have found that closure under Boolean operations has also been shown for the multiset 
automata of Colcombet [Col02], which correspond to the subclass of our one-way ACU automata 
in which all symbols other than +, 0 are unary, and were introduced for studying process rewrite 
systems. 

To avoid confusion we clarify that the “two-way automata” of [Vai'98] are a different notion from 
ours. For example in the string case their two-wayness refers to the fact that they have a fixed input on 
a tape and the transitions allow the read head on the tape to move in either direction. In our automata 
we don’t have any concept of a fixed input on which the automata can work. During the runs of our 
automata, the tree can grow by addition of function symbols at the top, or shorten by removal of 
function symbols from the top. This is the two-wayness that our terminology refers to. In particular 
no obvious notion of “equational” extensions of the two-way automata of [Vai'98] appeal's to us. 
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Chapitre 4 

Automates d’arbres modulo les theories 
A etC 

(Tree Automata Modulo Theories A and 

C) 


Bien que le sujet principal de cette these soit les automates d’arbres modulo les theories AC et ses 
extensions, il est aussi interessant de savoir ce qui se passe dans les cas des restrictions de la theorie 
AC, a savoir les theories A et C. Dans ce chapitre nous etudions les automates d’arbres modulo ces 
deux theories. Essentiellement nous montrons qu’aucun de ces deux cas n’est interessant, mais pour 
des raisons exactement contraires : alors que les automates d’arbres modulo C sont facilement tra- 
duits (en temps lineaire) en des automates d’arbres non-equationnels equivalents, tous les problemes 
interessants sont indecidables pour les automates d’arbres modulo A. II nous restera a traiter la theorie 
AC et ses extensions, ce que nous ferons dans le reste de la these. 
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Although the main subject of this thesis is tree automata modulo the theories AC and its exten¬ 
sions, it is also interesting to know what happens in the cases of the restrictions of the theory AC, 
namely the theories A and C. In this chapter we study the tree automata modulo these two theories. 
We essentially show that neither of the two cases is interesting, although for exactly opposite reasons : 
while the C tree automata arc easily translated (in linear time) to equivalent non-equational tree auto¬ 
mata, all the interesting problems arc undecidable for A tree automata. This leaves us to deal with the 
theories AC and their extensions in the rest of the thesis. 


4.1 


Tree Automata 


In this section we show that C tree automata arc reducible in linear - time to non-equational free 
automata accepting the same language. Note that this statement makes sense since we have chosen to 
consider equational tree automata as accepting E-closed sets of terms instead of as sets of equivalence 
classes of terms modulo the equational theory. 

Let Abe a general two-way tree automata. Define the general two-way free automata B to consist 
of all clauses of A as well as new clauses P(x + y) <= P 2 (x) A P\ (y) for every clause P(x + y) A= 
P\(x) A D>(y) occurring in A. We show that A/C is equivalent to B/%. Recall that 0 denotes the 
empty theory. One part is easy : 

Lemma 9 If Pit) is derivable in B/% then P(t ) is derivable in A/C. 

Proof: We do induction on the size of the derivation tt of Pit) in B/%. 

Case 1. Suppose the last clause used is some definite clause (pop clause, epsilon clause or general 
push clause) of A, and tt is of the form : 

7^1 


Pi(sicr) ... P n (s n a) 
P(sa) 


(P(s) <= Pi(si) A ... A P n (s n )) 


where scr = t. Then by applying induction hypothesis on tti, ..., TT n , we get derivations 7r / ] ,.... tt/ of 
P\(t\a ),..., P n (t n a) in A/C respectively. Then we get the following derivation of Pit) in A/C : 


TTi 


TT„ 


Pi(sicr) ... P n (s n a) 
P{sa) 

Case 2. Suppose t = t 2 + fi, P(x + y) < 

TT\ TT2 


( P(s ) <= Pi(si) A ... A p n (s n )) 

= P\{x) A P 2 (y) € A and tt is of the form 


P-ifo) Pi{h 


(P{x + y) «= P 2 (x) A Pi{y)) 


P{t2 + tl) 

By applying induction hypothesis on tt\ and n2 we get derivations tt\ and tt' 2 of Pzit'i) and P\{t\) 
respectively in A/C. Then we get the following derivation of P(t) in A/C. 


TTo 


TT i 


Pi(h) P 2 (t 2 ) 


p{t\ + 1 2 ) 


(P(x + y) <= Pi(x) A P 2 (y)) 


(C) 


P(t 2 + A) 
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□ 

For the second part, we show the following statement : 

Lemma 10 If P(s) is derivable in A/C and s =c t then P(t) is derivable in 23/0. 

Proof: We do induction on the size of the derivation 7r of P(s) in A/C. 

Case 1. Suppose s = f(s i, s n ) where / is free, and ir is of the form 

7T n 

Pl(si) ... P n (t n ) 

—— - — (P(f(x!,-,x n )) 4= Pi(si) A ...AP„y 

P{f{s 1, -,S n )) 

If s =c t then there are terms t\, ...,tn such that t = f(t\ , ...,f n ) and =c ti for 1 < i < n. 
By applying induction hypothesis on 7Ti,...,7r n , we get derivations tt[, ...,ir' n of l\ (t\),.... P n (t n ) 
respectively in 23/0. Then we have the following derivation of P(t) in S/0 : 


Pi(fi) ... P n (t n ) 

——- —(P(f(xi,...,x n )) 4= Pi(xi) A ... A P n {x n )) 

— An)) 

Case 2. Suppose s = si + s 2 , and 7r is of the form 

7Tl 7T2 

Pi(si) P 2 (s 2 ) 

—-— (P(x + y) ^ Pi(x) A P 2 (y)) 

P(si + s 2 ) 

If s =c t then we must have terms t\ and f 2 such that si =c fi and s 2 =c f 2 and t = ti + 
for some l e {1,2}. By applying induction hypothesis on 7Ti and 7 r 2 we get derivations 77 } and tt' 2 of 
Pi(fi) and P 2 (t 2 ) respectively. By definition of S, the clause P(x + y) -4= Pfx) A P 3 _z(y) is in B. 
Hence we have the following derivation of P(t) in 23/0 : 

/ / 

7r i ^ 

Pi(ti) P 2 (i 2 ) 

-^7-V + v) <= fl(x) a P3-K2/)) 

Case 3. Suppose s = Si and 7r is of the form 

5 7Tl 7Tfc h'l S p 

Q{f { s lt •••) Sn)) Pl( s ii) ••• Pfc(Sjfc) Ql( s i) ••• Qp{ s i ) 

P(si) 

where C = P{xf) 4= Q(f(x u ,..,x n )) A Pi^J A ... A Pk(x ik ) A <2i(xi) A ... A Q p (si) and 
i {h,-Ak}- H Si =€ t then f(si,...,s n ) =c f(s 1 ,...,s i -i,t,s i+ i,...,s n ). Then by applying 
induction hypothesis on S,Si,...,S p , we get derivations 6', d[,..., 5' p of ..., Sj-i, t, s*+i,..., 

Sn)), Qi(f), •••, Qp(f) respectively in S/0. Then we have the following derivation of P(t) in S/0 : 

5 77 1 7T (i ] 5 p 


Sj_i, f, Sj+1,..., s„)) Pi( Sil ) ... Pfc(sjj,) Q\(t) ... Q p (t) 
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Case 4. Suppose n is of the form 


7Tl 


P(s') 

P(s) 


(C) 


If s =c t then s' =c t and by applying induction hypothesis on tt i , P(t) is derivable in 13/0 : 


7Tl 


P(s') 
P{t ) 


(C) 


□ 

From Lemmas 9 and 10 it follows that A and A 1 accept the same language if we let the final states 
of A and A ' to be the same. Also observe that the only new clauses in A' are +-pop clauses. This in 
particular implies that if A! is a one-way automaton then B is also a one-way automaton. Similarly if 
A is a two-way automaton or general two-way automaton or constant-only automaton then B is also a 
two-way automaton or general two-way automaton or constant-only automaton respectively. We have 
similar conclusions for other classes of automata considered in the thesis. Finally we observe that A’ 
is computable in time linear in the number of clauses in A since we only need to add a +-pop clause 
for every +-pop clause in A. We summarize our results in the following theorem : 


Theorem 3 For every general two-way C tree automaton A, we can compute in linear time a general 
two-way automaton B such that £(6/0) = C{A/C). Also the only clauses in B which are not in A 
are + -pop clauses. 


This means that studying extensions of tree automata by adding the theory C is not an interesting 
exercise. 


4.2 A Tree Automata 

While we saw in the previous section that C tree automata accept only regular tree languages 
and have good decidability properties, the case of A tree automata is completely different. We show 
that emptiness of intersection of languages accepted by A tree automata is undecidable, even when 
the only symbols in the signature othen that + are constants. This is done by showing that these 
automata can accept context free languages for which the intersection emptiness problem is known to 
be undecidable [HU79]. First we recall some notions on context-free languages. 

Definition 3 (Context Free Languages) A context free grammar is a quadruple (V. T, P. S ) where 
V is a finite set of non-terminals , T is a finite set o/terminals, P is a finite set of production rules of 
the form A —> a, where A is a nonterminal and a £ (V Li T)*, and S 6 V is the start symbol. 

Derivations in G are defined as follows : we write a Ay =^*g a PT iff A —► /3 G P and a.y € 
(V U T)*. The language generated by G, denoted L(G), is the set {w \ w is in T* and S =^* G 
w;}. Context-free languages are defined to be the languages that can be generated by context-free 
grammars. 

Now we show a correspondence between constant-only A tree automata and context free gram¬ 
mar's. Let the signature E contain only constants besides the symbol +. As in the AC case, we use the 
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notation ai + .. .+ a n to denote a term of the form (... ((a\ + 0 . 2 )+ 0 . 2 ) + ■ • •)• For any term t G T(E), 
t =4 01 + ... + a n for some constants a ±,..., a n G E, n > 1. This representation is also unique, 
unlike in the AC case where the order of the summands did not matter. Let T be the set of constants 
of E. Hence the function str : T(E) —r T* which maps every term t to the string a\... a n G T* 
where t =_&c aq + ... + a n is well defined. We have str(t 1 ) = str(t 2 ) iff t\ =a £ 2 . The range of 
.str is every string in T* except the empty string e. Hence there is a one-one correspondence between 
A-closed tree languages built on E, and the subsets of T* which do not contain the empty string, with 
the correspondence being defined by str. 

Given a constant only automaton A on signature E, we define a context-free grammar gram(A) 
as follows. The non-terminals arc the predicates of A. T is the set of terminals. The start symbol S is 
the final state of A. We have production rules in gram,(A ) corresponding to clauses of A as indicated 
in the table below. 


P(x + y) «= Pi(x) A P 2 (y) 

P P 1 P 2 

P(a ) 

P —r a 

P(x) < 1 = Pi(x) 

p^ Pi 


Similarly given a context free grammar G = ( V. , T, P, S) such that P contains only production 
rules of the form P —r P\ P 2 , P — r a and P —r P\ , wc have a constant-only automaton gram~ 1 (G) 
(which is uniquely defined upto renaming of variables in clauses) on signature T U {+}, such that its 
set of predicates is V and the final state is S. 

First of all we can show the following easy result by induction on the derivations in a context free 
grammar. 

Lemma 11 Let G = ( V,T,P , S) be a context free grammar. For x i,..., x n G V L) T and a G 
(V U T)*, x' 1 ... x n a iff for some on,..., a n G (V U T)* we have Xi at for 1 < i < n. 

we can now show 


Lemma 12 P(t) is derivable in A /A iff P =>* grarn ^ 4 ) str(t). Hence str(C(A/ A)) = L{gram.{A)). 


Proof: To show the “only if” paid, we do induction on the length of the derivation of -str{t ) in 
gram(a). If t = a and the derivation is simply P ==>■ a then we use the clause P(a) to get the 
required result. If the derivation is of the form P gra m(A) -Pl = ^* gr am(A) s ^ r (^) th en by induction 
hypothesis P\ (t) is derivable in A/A. We then use the clause P(x) Pffx) to get a derivation of 
P(t). If the derivation is of the form P => gra m{A) P P 2 = P*g ram {.A) s ^ r i^) then by Lemma 11 we 
have some ti,t 2 such that t =a h + t 2 and we have P x =^* aram{A) str(tf) and P 2 =>* gram{A) 
str(t 2 ). By induction hypothesis, P\ {t\ ) and P 2 (t 2 ) arc derivable in A/A. Then we use the clause 
P(x 1 + x 2 ) < 1 = Pffx) A P 2 (y) to get a derivation of P(t). 

To show the “if” paid, we do induction on the size of the derivation of P(t). If P(a) is derivable 
using the same clause, then we gave P =$- gra m(A) a ■ b Pit) is derivable using P(x) P\ (x) as 
the last clause, then by induction hypothesis. Pi =>* gram ( A ) str(t), hence we have P =^ gra m(A) 
Pi =P > * gram ( A ' ) str{t). If P(t 1 + t 2 ) is derivable using P(x + y) F= P\{x) A P 2 (y) as the last clause, 
then by induction hypothesis we have Pi =>* ram(M str(ti) and P 2 =>* gram ( A ) str(t 2 ). Hence we 


gram(A) 

1P2 =^ gra m(A) 

We recall the following result on context free languages : 


have P == t’ g ram(A) AP 2 ^gram(A) 


□ 


Lemma 13 ([HU79]) Any context-free language not containing e is generated by a context free gram¬ 
mar in which all productions are of the form A —r BC or A —> a. 
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Grammars of the above form arc said to be in Chomsky normal form (CNF). In fact given any 
context-free grammar G we can effectively obtain a grammar G' in CNF such that L{G') = L(G) \ 

{e}. We have the following characterization of the languages accepted by constant-only A-automata : 

Theorem 4 Constant only A automata on signature E accept exactly the languages C such that 
str(C) is a context-free language on symbols from E \ {+} and not containing e. 

Since context free languages arc not closed under intersection, nor under complementation [HU79], 
it follows that the class of context free languages not containing e arc also not closed under intersection 
nor under complementation. Hence : 

Corollary 2 Constant-only A automata are closed under union, but are not closed under intersection , 
nor under complementation. 

Finally we show the undecidability of intersection emptiness of the languages accepted by these 
automata. 

Theorem 5 Given two constant-only A automata A± and A- 2 , it is undecidable whether C(A\/A) FI 

£(*4 2 /A.) = 0. 

Proof: Given two context-free grammars G \ and 6 '2 it is undecidable [HU79] L(G\) n L{Gf) = 0. 

We reduce it to the problem of deciding whether C{A\ /A) n C{A- 2 /A) = 0 for two constant-only au¬ 
tomata A 1 and A 2 . By Lemma 13 the problem remains undecidable when G \ and G '2 arc restricted to 
be in CNF, since it is decidable whether the string e belongs to the language generated by a context- 
free grammar. As a result, we have automata gram H. G\ ) and gram~ ] (G 2 ) such that by Lemma 12, 
■str(C(gram^ 1 (Gi) /A)) = L{G\) and str(C(gram -1 (G 2 )/ A) = L(G 2 ). Hence L(G\)C\L(G 2 ) = 

0 iff ■str(C(gram~ 1 (Gi)/A))nstr(C(gram^ 1 (G 2 )/A)) = 0 iff C(gram~ 1 (G\) / A)nC(gramr 1 (G 2 ) / A) 
0. This completes the reduction. □ 

4.3 Conclusion 

We have dealt with the equational tree automata modulo the theories A and C. We showed that C 
tree automata can be converted in linear time to non-equational tree automata. On the other hand, A 
tree automata, even in the constant-only case, accept context free languages, implying undecidability 
intersection emptiness, as well as the fact that constant-only A tree automata arc closed under union, 
but are not closed under intersection nor under complementation. 



Chapitre 5 


Application des automates d’arbres 
equationnels 

(Application of Equational Tree 
Automata) 


II est naturel de se demander a quoi servent les automates bidirectionnels (possiblement alter¬ 
nants) modulo E. Les automates d’arbres modulo AC ont ete recemment utilises en verification de 
schemas XML (voir par exemple [Lug03, DZL03]). Dans cette these nous n’avons pas regarde en de¬ 
tail les applications aux schemas XML, et les lecteurs interesses peuvent consul ter [Lug03, DZL03]. 
Notre motivation principale en ce qui concerne l’introduction de ces variantes equationnelles des au¬ 
tomates bidirectionnels etait de pouvoir modeliser des protocoles cryptographiques qui utilisent des 
primitives cryptographiques non parfaites. Dans de telles applications, la bidirectionnalite est indis¬ 
pensable. Nous l’illustrons par une etude de cas dans le domaine de la verification de protocoles cryp¬ 
tographiques. L’exemple que nous avons choisi est celui du protocole de Diffie-Hellman en groupe, 
utilise par un groupe de participants pour se mettre d’accord sur une cle commune, non divulguee hors 
du groupe, et telle qu’aucun sous-groupe strict du groupe n’a pu former de coalition pour creer la cle 
et l'imposer au reste du groupe. 
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It is natural to ask what uses two-way E-tree automata (possibly alternating) may have. AC-tree 
automata have enjoyed quite some interest recently, insofar as checking XML Schemas for example 
seems to require AC-tree automata techniques (see, e.g., [Lug03, DZL03]). In this thesis we have not 
focused on applications in XML Schemas, and we refer the interested reader to [Lug03, DZL03], Our 
primary motivation for introducing these equational valiants of two-way tree automata was to be able 
model cryptographic protocols which use imperfect cryptographic primitives. For these applications, 
two-wayness is indispensable. We illustrate this with a case study in the field of cryptographic protocol 
verification. 


5.1 Group Diffi e-Hellman Protocols 

This example is a so-called group key agreement scheme. To keep the exposition short, we only 
mention salient features exhibiting the role of two-way AC-tree automata. We feel that this example, 
where we encode the Diffie-Hellman primitive (modular exponentiation) with the help of an AC sym¬ 
bol to represent multiplication of exponents, is more faithful to actual implementations than previous 
models, e.g., [KFK97]. Arguably, the theory of Abelian groups would be suitable to the task, too ; see 
below. 

Consider the initial key agreement protocol IKA. 1 [STWOO] (formerly known as GDH.2), used 
to create an initial group key in the CLIQUES protocol suite. The goal is for a group of agents At i, 
..., JA k to obtain a common key that they can use for further communication. This key should be 
unavailable to external eavesdroppers. (An eavesdropper is an intruder who may only listen to com¬ 
munication channels, but not forge messages, remove messages or redirect channels.) Moreover, no 
agent should be able to decide of the value of the key for the others ; in general, no proper subset of 
the agents should be able to collude to create the common key. 

We study the IKA. 1 protocol, in particular because it has attracted some attention recently. IKA. 1 
is based on a Diffie-Hellman scheme [DH76], which works as follows. We take the standpoint of a 
Dolev-Yao-like model [DY83], where terms—here, modulo ACU—are used to denote messages. 

First, assume that there is a free unary function symbol e, which will be used as a way of encap¬ 
sulating some secret—a kind of cryptographic hash function. Assume + is some ACU symbol, with 
unit 0. Then the signature X consists of e, +, 0. We require that every participant of the protocols to 
come, whether honest or dishonest, can compute e(M) from any message M, and e(M + M') from 
e(M) and M', but not more. Then for two agents At 1 and At 2 to get a common key, A4 1 chooses 
some secret M\, sends At 2 the message e(M \); then AQ chooses some other secret M 2 , sends Ati 
the message ejilQ); finally both can compute the common secret e(M\ + M 2 ) : Ati can compute it 
from M\ and e(M 2 ), At 2 can compute it from e(M\) and M 2 . Note that + has to be commutative for 
this to succeed. 

This can be implemented using modular exponentiation [DH76], by letting e(M) be coded as 
a M mod N for well-chosen numbers a and N, + as multiplication, and 0 as the identity element for 
of multiplication : to get e(M + M r ) = a MM mod N from e(M) = a M mod A, just raise the latter 
to M' mod N. Modern proposals implement e(M) as g M , where g is a generator of some group, not 
necessarily (Z/iVZ)*, typically groups generated by elliptic curves or hyperelliptic curves mod N. 

To describe the IKA. 1 protocol [STWOO], we shall not just use the function symbols e, +, and 
0, but also a binary function cons and a constant nil to represent lists. We shall also use additio¬ 
nal constants, to be introduced later. We abbreviate cons(M\, cons(M 2 , ..., cons(M n , nil ) ...)) as 
M 2 ]...; M n . For simplicity, assume we have 3 members in the group, Ati, Ad 2 , A/I 3 . 

First, IKA. 1 starts with an so-called upflow phase : At 1 sends At 2 the message e(N\), where N\ is 
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afresh nonce ; N\ is modeled, as usual [Mon99], as anew constant. Then M 2 sends e(AT); e(Ai); e(Ai + 
N 2 ) to Mis, where AT is another fresh nonce (modeled as another new constant AT / A’ 1 ). This is 
possible due to our assumptions that anybody can build e(Af) from M and e(M + M') from e(M) 
and M'. 

Once this is done, AT 3 starts the downflow phase, and broadcasts e(AT + A 3 ); e(N\ + A 3 ), from 
which all members can compute the group key e(Ai + AT + A 3 ). (A 3 is a third fresh nonce created 
by M 3 .) 

All possible interleaved executions of the protocol can be described using Horn clauses modulo 
ACU, and we claim that the resulting set of clauses is a two-way ACU-automaton. Let us write 
selected clauses from this set. 

To model communication, introduce predicates chc for each configuration C that is reachable in 
an interleaved run of M\, M2, Ms- The formula chc(M) is meant to hold if and only if M is a 
possible message present on some communication channel when in configuration C. We also create 
distinct predicate kc such that kc(M) is meant to hold when M is deducible, in a sense inspired 
by Dolev and Yao [DY83], from all messages present on the communication channels at or before 
configuration C. 

As such, for every reachable configuration C, we generate the clauses : 


k’c(e(0)) Intruder knows e(0) (5.1) 

kc(e(x + y )) A= kc(e(x )) A kc{y) Intruder can exponentiate (5.2) 

kc(nil) Intruder knows the empty list (5.3) 

kc(cons(x,y)) <?= kc(x),kc{y) Intruder can build lists (5.4) 

kc(x) A= kc(cons(x,y)) Intruder can read heads (5.5) 

k c {y) 4= k c (cons(x,y)) Intruder can read tails (5.6) 


We shall define several different intrusion models. This will interfere notably on the clauses we 
shall generate to define chc■ Whatever the model, we shall generate the clauses 


kc(x) <= chc(x) Intruder spies on every channel (5.7) 

kc(x) <= kc(x) Intruder remembers past messages (5.8) 

for any reachable configuration C, and where C' is the predecessor of C (if any) in (5.8). 

The most benign model from a security viewpoint is the pure eavesdropper model , where the 
intruder does not interfere with communication, except for remembering all messages exchanged by 
the honest agents Mi. If M, sends message M under some conditions B, then we generate the clause 
chc(M) B. If Mi waits for some message M to be read before proceeding to so some action 
described by a clause A <^= B, then we generate A <^= B, chc(M). (This will be described in more 
detail below.) In the pure eavesdropper model, this will be all. 

In the copycat model , the intruder is also able to replay old messages, and to divert communication 
channels. We generate the additional clause 


chc(x) F= chc'(x ) (5.9) 

for any reachable configuration C with predecessor O'. This specifies that every message put on 
some channel remains on this channel, and can be read at any time in the future, and replayed as many 
times as we wish. 
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In the Dolev-Yao model , so named because it is closest to that of [DY83], instead of (5.9), we 
generate the clause 


chc{x ) 4 = kc(x) Intruder has complete control over channels (5.10) 

In other words, anything read from any channel is directly forged by the intruder from past mes¬ 
sages. As far as security is concerned, this is the model giving the most abilities to the intruder. Any 
attack in all previous models can be played in this model. 

The final ingredient in our description of the protocol is the specification of the contents of the 
communication channels in the initial configuration Co : we assume that some predicate chc 0 has 
been defined by some two-way ACU-tree automaton. We further restrict the pure eavesdropper model 
to be such that the channel is empty in configuration Co : just don’t produce any clause defining chc 0 - 

Starting from Co, execution may proceed by letting A4 1 send its upflow message to M 2 , letting 
the whole system progress to some new configuration C\ (and Co is its predecessor) : 

chc\ (e(A r i)) Intruder gets M 1 ’s message (5.11) 

Note that chc 1 holds of exactly one message in the pure eavesdropper model. This will be an invariant 
of our description : for any reachable configuration C, there will be at most one ground term M such 
that chc(M) holds—the contents of the channel. In the copycat and Dolev-Yao models, chc(M) may 
be true for several messages M, because of clauses (5.9), resp. (5.10). 

Let us write what happens when the next action is M 2 sending its own message to M 3 : 

ch C 2 (e(N 2 )-,e(x);e(x + N 2 )) 4 = ch Cl (e(x )) (5.12) 

Clause (5.12) means that M 2 reads the message from M 1 first; this should be e(ATi), but M 2 can only 
check that it is e(x) for some x ; also, the only way it can get e(x) is by querying the channel through 
ch(’ ] . Then M 2 should build e(A r 2 ); e(A r i); efAj +N 2 ). Since the variable x should contain N\ , actual 
implementations build e(A r 2 ); e(.x); e(x + N 2 ), and send it to the intruder in the new configuration C 2 . 

The downflow message from M 3 gives rise to the clause : 

chc 3 (e(x + N 3 )-e(y + N 3 )) -4= chc 2 {e{x)\ e(y); e(z)) (5.13) 

Now the secrecy requirement on, say, M \ ’s view of the group key is that 

_L 4 = chc 3 (cons(e(x), z')) A kc 3 {e(x + N±)) (5.14) 

Indeed, All’s view of the group key is e(x + N\), where the message broadcasted by M 3 is e(x): y, 
i.e., where chc 3 (e(x); y) holds (reminder : if this message is not forged, then x = N 2 + A(>). Clause 
(5.14) states that this view e(x + N\) is not known to the intruder in configuration C 3 (and therefore 
neither in Cj or 62 .) 

There arc many other possible interleavings, whose description we leave to the reader. As we have 
said, our puipose here is not to actually verify this protocol, but to illustrate the application of two-way 
ACU-tree automata on a concrete example. All clauses but a few arc automata clauses. E.g., clauses 
(5.3) (5.4) are pop clauses, clauses (5.5) and (5.6) are free push clauses. Clauses (5.7), (5.8), (5.9), 
and (5.10) arc e-clauses. From the abbreviations discussed in Chapter 3, clauses (5.1), (5.2), (5.11), 
can be expanded into free push clauses, free pop clauses, epsilon clauses and zero clauses. 

Clause (5.14) can be expanded to 

R(z) -4= chc 3 {cons(z, z ')) R\x) <1= R{e{x)) R"{x + N\) 4= R'(x ) 

R"'(e(z)) 4= R"(z) _L <= R"'(z) A kc 3 {z ) 
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where R, R', R", R!" arc fresh and the last clause is a query clause which tests the intersection of 
languages defined by R'", chc \,..., chc 3 - 

Clause (5.12) is more problematic : The clauses 

valx(x) 4= chc^e^x)) chc 2 {x i;x 2 -,x 3 ) 4= P\(xi) A P 2 (x 2 ) A P 3 (x 3 ) 

Pi(e(N 2 )) P 2 (e(x)) 4= valx(x) P 3 (e(x + N 2 )) -4= valx(x) 

arc equivalent to (5.12) in the Dolev-Yao model, in the copycat model (where sending lists of elements 
or sending each element separately has the same net effect) and in the pure eavesdropper model (where 
any chc recognizes at most one value anyway). 

By a similar argument, clause (5.13) can be expanded into the clauses 

Pi(x) 4= ch C 2 (cons(x,y )) P23O/) " 1 = chc 2 (cons(x,y )) 

P 2 (x) 4= P 23 (cons(x,y )) chc 3 (e(x + N 3 ); e(y + N 3 )) 4= P\{e(xj) A P 2 (e(y)) 

The resulting set of clauses defines a two-way ACU-automaton (recall that two-way ACU auto¬ 
mata extend one-way ACU automata by adding free push clauses) together with query clauses of the 
form _L 4= P\ (x) A P 2 (x). As remarked in Corollary 1 (which can be easily generalized to the equa- 
tional case) the purpose of these clauses is to check whether some common term is accepted by both 
Pi and P 2 . We show in Chapter 10 that these two-way ACU automata can be converted to equivalent 
one-way automata. The one-way ACU automata arc shown to be closed under intersection in Chap¬ 
ter 8 . Also we have already seen in Chapter 3 that emptiness of one-way equational tree automata is 
decidable. Together these results mean that the above queries can be decided for our modeling of the 
IKA. 1 protocol. 

Recall our remark at the beginning of this section that two-wayness is indispensable as far as 
applications in cryptographic protocols arc concerned. This can be seen from the clauses used in this 
modeling. For example, clauses (5.5) and (5.6) arc push clauses. Clause (5.2) when expanded requires 
push clauses. The expansions described above of clauses (5.12), (5.13) and (5.14) also require push 
clauses. 

The curious reader might want to know that the secrecy property fails, i.e., above set of clauses 
(i.e. together with the query clauses) is unsatisfiable. Alternatively the intersection of states R"', chc'i > 
..., chc 3 is not empty, i.e., there is an attack, in both the Dolev-Yao and the copycat models [MD02], 
Note that IKA. 1 was indeed designed so as to be resistant only to pure eavesdroppers. 

While the above modeling is done using ACU automata, it is more realistic to also also include 
the fact that + is a group law, requiring the use of two-way ACUM-tree automata. For example the 
A-GDH.2-MA protocol in [PQ01], which is used to add a new member to a group, uses keys K as 
well as their inverses A" -1 . Here A' -1 is the multiplicative inverse of K, so that we have the property 
a yxx = a y . In our modeling we can accommodate such messages by also having — symbol in the 
signature, and representing message A' -1 by the term —K. We then need to work modulo the Abelian 
groups theory ACUM to model cancellation of keys in exponents. 
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Chapitre 6 

Resultats d’indecidabilite 
(Undecidability Results) 


Dans ce chapitre nous exhibons plusieurs problemes indecidables de la theorie des automates 
equationnels. En particulier nous montrons que les automates alternants modulo ACU, ainsi que les 
automates bidirectionnels generaux modulo ACU (ceux contenant des clauses push dites generates) 
ont un test du vide indecidable. C’est la raison pour laquelle nous avons introduit des versions res- 
treintes des clauses push en chapitre 3; c’est sur ces dernieres versions que nous obtiendrons des 
resultats de decidabilite au chapitre 10. Ces automates avec clauses push restreintes redeviennent in¬ 
decidables si on leur ajoute des contraintes d’egalite entre freres, conime nous le verrons dans ce 
chapitre. Ces resultats d’indecidabilite sont vrais meme pour d’autres theories comme AC, A CUD 
et ACUM. Pour quelques theories comme ACUX, ACUI la question de la decidibalite est ouverte. 
Notons que ces resultats de decidabilite contrastent avec le cas non equationnel ou l’alternance est 
essentiellement benigne. 
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In this chapter we show several undecidable problems concerning equational tree automata. In 
particular we show that alternating ACU automata, as well as general two-way ACU automata (those 
with general push clauses) have an undecidable emptiness test. This is the reason we have introduced 
restricted versions of push clauses in Chapter 3 to obtain decidability results. These restricted versions 
of automata, called two-way automata, for which the decidability results arc studied in Chapter 10, be¬ 
come undecidable if we add equality constraints between brothers, as we will see in this chapter. These 
undecidability results continue to hold for other equational theories like AC, A CUB and ACUM. For 
some theories like ACUX, ACUI, the decidability question is open. Note that these undecidability 
results are in contrast to the non-equational case where alternation is essentially harmless. 

A two-counter machine [Min61] has a finite number of states, two registers R \ and R>, each 
of which can store a non-negative integer, and a finite control which makes the machine change state 
while incrementing or decrementing one of the registers or while checking whether one of the registers 
stores the value 0 . 

Formally, a two-counter machine M is a finite labeled transition system with an initial state qo, 
a final (acceptance) state qf, and transitions q — >q' where a may be Inc If, Dec R, or Zero R t , 
i 6 {1,2}. A configuration of the machine M is a triple ( q , m, n) where q is a state, m, n € N arc the 
values of R\ and /A respectively. 

Inc Ri increments If, Dec R, checks whether If is > 1, and if so decrements If, and Zero R, 
checks whether If = 0. Accordingly, the allowed moves of M corresponding to the various transitions 
arc described by the relation \~ m as follows : 


q—>q', a = Inc R\ : 

(q, m, n) 

\~ M (q',m + l,n) 

q-^Aq', a = Inc R 2 : 

(q, m, n) 

\- M (q',m,n + 1) 

q—Aq', a = Dec R\ : 

(■ q,m + 1 ,n) 

\- M ( q',m,n ) 

q—Aq', a = Dec R 2 : 

(q,m,n + 1) 

\~ M (q',m,n) 

q—>q', a = Zero R± : 

(g,0,n) 

\~ M (A 0, n) 

q—>q', a = Zero R 2 : 

(g,n,0) 

\~ M W,n, 0) 

We denote by \~* M the reflexive transitive closure of \~m- 



The following theorem states that every recursively enumerable set of integers is accepted by some 
two-counter machine. 

Theorem 6 ([Min61]) For any recursively enumerable set E of integers there is a two-counter ma¬ 
chine M with initial state qo and final state qf such that E = {n G N | 3m ', n' G N • (go,0, n) \~* M 
0 ')}. 


6.1 ACU Case 

First we deal with the undecidable problems in the ACU case. We show that alternating general 
two-way ACU automata have undecidable emptiness-test even with a signature in which all free 
symbols arc constants. We discuss various cases according to the kinds of clauses allowed. 

6.1.1 With General +-Push Clauses 

In case we allow general +-push clauses, we can produce undecidability using only two constants. 
Assume a signature X = {+, 0 , 01 , 02 } where ai and 02 arc constants. To simulate two-counter 
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machines using ACU automata, we encode configurations (q, m, n) of a two-counter machine by the 
atom q(m, n) where m, n = ma\ + ruin for m, n > 0. Observe that for every term t we have some 
m,n> 0 such that t =actj m, n. 

Lemma 14 Given any two-counter machine M with initial state qo and final state qf, we can compute 
an ACU automaton A containing at most epsilon clauses (3.3), base clauses (3.5), +-pop clauses 
(3.6), zero clauses (3.8) and general +-push clauses (3.12) such that £(*4/ACU) = ACU({m, n \ 
3m', i/eN' ( q 0 , m, n) \-* M ( q f ,mn')}). 

Proof: We simulate two-counter machines with the direction of computation reversed. 

Because of Observation 10 we can also use intersection clauses in our automaton A, knowing 
that they can be eliminated to get a general two-way automaton. Also, as in the remarks at the end of 
Section 3.3.3, we can use clauses like P(x + a) -4= P\ (x) and P(x) -4= P\(x + a) knowing that they 
can be translated using +-pop clauses and general +-push clauses. 

The automaton A has a state q for each state q in M, as well as states zero i, zero 2 and state. 
First we add the clauses 


zero\(0) 

zero\(x + 02 ) <= zeroi(x) 

zero2(0 ) 

zero2{x + ai) -F= zero2(x) 

state(x + y) -F= zeroi(x) A zero 2 (y) 

to A. We intend zero\ to accept all possible values of the registers R\ and Ip such that R\ = 0 
(and R .2 have any value in N). Similarly for zero 2 - We intend state to accept all possible valid values 
of the registers Ri and Ip- Since we don’t add any other clause in A which contains any of these 
predicates in the head, we have : 

C zeroi {A/MX) = ACU({0,n | n G N}) 

C zer02 {A/ U) = ACU({m, 0 | m G N}) 

Cstate (v4/ACU) = ACU({m, n \ m,n G N}) 

Then we add the following clauses to A corresponding to the transitions of M : 

q—Pq', a = Inc Ri : q(x) <^= q'(x + afi 

q—iq', a = Dec Ri : q(x + afi) <^= q'(x ) 

q—^q', a = Zero Ri : q(x) <^= q'(x) A zerofix ) 

Finally we add the clause 


qf(x) <^= state(x) 

coiTesponding to the acceptance condition of M. 

We need the following two intermediate results to finish our proof : 

Claim 1 If (q, m, n ) \~* M (qf, m', n') then q(m, n) is derivable in A/ACU. 

Proof: We do induction on the number of moves required by M to go from a configuration (q, m, n) 
to a configuration (qj, vn!, n'). We have the following cases : 
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(i) The number of moves is zero, i.e. (q', m, n ) = (qf, m', n'). Since state(m', n!) is derivable in 
Zl/AOJ hence qf(m', n') is derivable in ,4/ACU using the clause qf(x) <= state(x). 

(ii) M has a transition q-^Aq', a = Inc R\ and we have ( q,m,n ) F m ( q',m + 1 ,n) \~* M 
( qf,m',n'). By induction hypothesis q'(m + 1 ,n) is derivable in A/ACU. Hence q(m, n) is 
derivable in A/ACU using the clause q(x) <= q'(x + a). 

(iii) M has a transition q-^Aq', a = Dec Ri and we have (q,m + 1 ,n) I ~m (</ ,m,ri) \~* M 
(qf,m',n'). By induction hypothesis q'(m, n ) is derivable in ^f/ACU. Hence q(m + 1, n) is 
derivable in ^l/ACU using the clause q(x + a\) <= q'(x). 

(iv) M has a transition q-^Aq', a = Zero R\ and we have (q, 0, n) h m ( q 0, n) \~* M (q', m', n /). By 
induction hypothesis we have a derivation of g'(0, n ) in Zl/AOJ. Also zero\ (0. n) is derivable 
in A/ACU. Hence using the clause q(x) <= q'(x) A zero i(x), q( 0, n) is derivable in A/ACU. 

(v) The three cases involving counter II 2 instead of Il\ arc dealt with in a similar way as the 
corresponding cases (ii-iv). 

□ 

Claim 2 If q is a state of M and q(m, n) is derivable in A/ACU then (q, m, n) \~* M ( qf , rri ’, n!) for 
some m', n' G N. 

Proof: We do induction on the structure of the derivation of q(m, n) in A/ACU. From Observation 1 
we can assume that the derivation uses only rules of the form C/ACU for clauses C, and the only 
atoms appearing as conclusions of subderivations arc of the form q'(rn", n") (where q' is not neces¬ 
sarily a state of M but could also be one of the new states introduces in A). This can be ensured by 
replacing atoms q'(t ) by atoms m",n" such that rn". n" =actj t. The result is again a well formed 
derivation. 

(i) We have the derivation 

stateim, n ) 

-;-:— (qf(x) <= state(x)/ ACU) 

qf(m, n ) 

in A/ACU. Cleaiiy we have ( qf,m, n) \~* M (qj , m, n). 

(ii) We have the derivation 

q'(m + 1, n) 

-——— (q{x) <= q'(x + oi)/ACU) 

q{m, n ) 

in A/ACU and the transition q—>q\ a = Inc R± is in M. By induction hypothesis (q'. m + 
1 ,n) \~* M ( qf,m',n') for some m!,n' G N. Also using the above transition ( q,m,n ) \~m 
(q ', m + 1, n). Hence (q, m, n) \~* M (qf, rn!, n'). 

(iii) We have the derivation 

q'(m, n) 

— -_ ( q(x + 01 ) A q'(x) /ACU) 

q(m + 1, n) 



6.1. ACU CASE 


69 


in A/ACU and the transition g-^->g 7 , a = Dec If is in M. By induction hypothesis {<{. m, n) \~* M 
( qf,mn ') for some m! , n 7 G N. Also using the above transition ( q , m + 1, n) F m (q', m, n ). 
Hence (. q , m + 1, n) \~* M ( q /, m 7 , n'). 

(iv) We have the derivation 


q'(0,n) zeroi(0,n) 
q(0~n) 


{q{x) 4 = q'{x) A zeroi (x) /ACU) 


in A/ACU and the transition g-^->g 7 , a = Zero Il\ is in M . By induction hypothesis (7/. 0, n) \~* M 
(■ qf,m' , ra 7 ) for some m 7 , n' G N. Also using the above transition (g,0, n) I-m (g 7 ,0, n). Hence 
(g,0,n) \~* M (g/,m 7 ,n 7 ). 

(v) The three cases involving register /A instead of Il\ arc dealt with in a similar way as the 
corresponding cases (ii-iv). 


□ 

We now return to the proof of Lemma 14. We name go as the final state of A. From Claims 1 and 2 
we have £(*4/ACTJ) = ACU({m, n \ 3m\ n' G N • (go, m, n) \~* M qf(m', n 7 )}). □ 

This allows us to prove our first undecidability result : 


Theorem 7 Every recursively enumerable set E of integers is effectively representable as the lan¬ 
guage £(*4/ACU) for some automaton A containing only epsilon clauses (3.3), base clauses (3.5), 
4 —pop clauses (3.6), zero clauses (3.8) and general +-push clauses (3.12). In particular emptiness of 
MX-automata containing such clauses is undecidable. 

Note that the representation of E as £(A/ACU) has to be modulo some encoding, as E contains 
integers, whereas £(A/ACU) contains terms. The encoding is specified in the proof. 

Proof: Let A be a recursively enumerable set of integers. From Theorem 6 there is a two-counter 
machine M with initial state go and final state g j such that 

E = {n G N | 3m 7 , n 1 G N • (go, 0, n) \~* M (g/, m 7 , n 1 )}. 

By Lemma 14 we have an ACU automaton A containing at most epsilon clauses (3.3), base 
clauses (3.5), +-pop clauses (3.6) zero clauses (3.8) and general +-push clauses (3.12) such that 

£(A/ACU) = ACU({m, n \ 3m 7 , n 7 G N • (go, m, n) \~* M qf{m', n 7 )}). 

Let g be the final state of A. Define automaton B to contain all the states and clauses of A. In 
addition B contains fresh states q\ and q-2 as well as the clauses 

Qi ( 0 ) 

gi(x + a 2 ) 4= gi (x) 
q 2 (x) 4= q(x) A gi(x) 

We name q 2 as the final state of B. We have 


C qi (B/ ACU) = ACU({0 ,n \ n G N}) 


Hence 
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C(B/ ACU) = C q 2 (B/ ACU) 

= C q (B/ ACU) n C qi (B/ACU) 

= £ q („4/ACU) n C qi (B/ ACU) 

= £(„4/ACU) n C qi (B/ ACU) 

= ACU({0,n | 3m!,n! G N • (qo,0,n) \~* M (qf,m',n')}) 

= ACU({na 2 | n G E }) 

Hence E is representable as £(13/ACU) modulo the encoding specified by the above equality. 

Also E is empty iff £(£>/ACU) is empty. As emptiness of recursively enumerable sets is undeci- 
dable [HU79], emptiness of ACU-automata containing clauses (3.3), (3.5), (3.6), (3.8) and (3.12) is 
undecidable. □ 

6.1.2 With Intersection Clauses 

We saw that emptiness is undecidable for ACU-automata when general +-push clauses arc allo¬ 
wed. As the general +-push clauses arc powerful enough to encode intersection clauses, intersection 
clauses were also used in the undecidability proof. In this section we show that we can show unde¬ 
cidability with only intersection clauses, and without using the general +-push clauses. To do this 
we require four constants compared to two constants used in the previous case. Hence we assume a 
signature S = {+, 0 , 01 , 61 , 02 , 62 }- In the previous case, we used the push clauses to translate the 
increment transitions (which corresponded to subtracting a constant from the concerned term). Howe¬ 
ver in the absence of push clauses this is not possible. To solve this problem we encode configurations 
(q, m, n) of the counter machine by atoms q((m+x)ai+xbi + (n+y)a 2 +yb 2 ) where x, y G N. Then 
incrementing m in the configuration corresponds to adding a 1 while decrementing m corresponds to 
adding 61 and checking that the resulting atom represents a valid configuration. Checking whether 
m = 0 corresponds to checking whether the number of ai’s is equal to the number of 61 ’s. All these 
operations can be done using base clauses, +-pop clauses and intersection clauses. Hence we have the 
following result : (In passing, this encoding is si mi lar to [ISD + 02].) 

Lemma 15 Let M be a two-counter automaton with initial state qo and final state qf. Then we can 
compute an ACU -automaton A' containing at most epsilon clauses (3.3), base clauses (3.5), E-pop 
clauses (3.6), zero clauses (3.8) and intersection clauses (3.9) such that 

1. Ift G £(AVACU) then t =aqu (m + x)a\ + xb\ + (n + y)a 2 + yb 2 far some m, n,x,y G N. 

2. For all m, n G N, (m + x)a\ + xb\ + (n + y)a 2 + y&2 G C(A'/ACU) for some x,y G N iff 
for some m', n! G N, (qo,m, n) \~* M (qf, m', n'). 

Proof: Let A be the automaton as described in the proof of Lemma 14 (i.e. A not only satisfies the 
property stated by Lemma 14 but also has exactly the same clauses as defined in the proof of the 
Lemma.) We will define automaton A! to simulate A. As in the proof of Lemma 14 we will freely 
use clauses of the form P(x + t) 4= P\ (x) in A !, where t is some ground term. Such clauses can be 
eliminated easily using pop clauses. 

Observe from the proof of Lemma 14 that A only contains clauses of the form 


?(0) 
q(x) 

5= qi(x) 


q(x) 

4= qi(x) A q 2 (x) 


q(ai) 


*€{1,2} 

q(x + cii) 

4= gi (x) 

*€{1,2} 

q(x) 

4= qi(x + a-i) 

*€{1,2} 
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for some states q, q\. q-2 in A. (q. qi,q2 are not necessarily states of A, they could also be the auxiliary 
states introduced in Lemma 14.) Also note that the above format of clauses are exactly arc exactly the 
ones which appeared in the proof of Lemma 14, without their expansion using pop and general push 
clauses of general two-way equational tree automata. 

Let A' contain all states of A, as well as fresh states zero, pos \ and pos2- We first add the clauses 


zero( 0) 


zero(x + a\ + 61) 

4 = zero{x 

zero(x + a 2 + 62) 

<^= zero(x 

pOSl(x + Oi) 

4 = zero(x 

posi(x + ai) 

4 = pos i(x 

pos\(x + a 2 ) 

<^= pos l(x 

pos 2 (x + a 2 ) 

<^= zero(x 

pos 2 (x + ai) 

4 = pos 2 (x 

pos 2 (x + a 2 ) 

4 = pos 2 (x 


to A’/ACU. Intuitively in state zero both If and R 2 arc zero. In pos\, R\ > 0 and H 2 > 0. In 
state pos 2 , If > 0 and R 2 > 0. We arc not going any other clause which has any of the predicates 
zero,pos\,pos2 in the head. Hence given a term t = miai + 771261 + 777(12 + 77262, 


t G C zero {A'/ ACU) iff mi = m 2 and ni = ri 2 

t G Cpos-i (A'/ACU) iff mi > 7772 and 771 > ri 2 

t G £ poS2 (A / /ACU) iff mi > 7772 and 771 > ri 2 

Then we add clauses to A' corresponding to clauses of A as follows : 


clauses in A 

q{ 0) 

q(x) 4= qi(x) 
q{x) 4= qi(x) A q 2 (x) 
q{ai ) 

q(x + ai) - 4 = 9i(x) 
q(x) 4= q^x + cii) 


clauses in A' 

q(x) - 4 = zero(x) 

q(x) 4 = qi(x) 

q(x) 4 = qi(x) A q 2 (x) 

q(x + at) - 4 = zero(x) 

q(x + a,i) 4 = qi(x) 

q(x + bi) 4 = qi(x) A posi(x) 


The fact that A! simulates A is stated by Lemmas 16 and 17. 


Lemma 16 For any state q in A and any m, n G N, ifma\ + 77(12 £ £ g (^l/ACU) then 3 N G N, for 
all x,y > N, (777. + x)a\ + xb\ + (n + y)ci2 + 7/62 G £ q (A'/ACU). 

In the statement of the above Lemma we consider all x,y > N for some N G N instead of 
considering all x, y G N. The reason for this becomes clear in the case (vi) of the proof below. 

Proof: We do induction on the size of the derivation of q(ma\ + rui2) in A/ACU. We have the 
following cases : 

(i) (/(()) is derived in A/ACU using the clause ( 7 ( 0 ). We know that for any x, y > 0, xa \ + xb\ + 
ya2 + 7/62 G £ zero (A' /AC U). Hence using the clause q{x) 4 = zero(x), the atom q{xa\ + 
.7761 + ya2 + 7/62) is derivable in A'/ACU for all x, y > 0. 
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(ii) q(ma\ + 7702 ) is derived in „4/ACU using q(x) <= q\{x) as the last clause. So q\(ma\ + 7702 ) 
is derivable in A/MX. By induction hypothesis, 3N G N, for any x,y > N, qi((m + x)a\ + 
xb\ + (n + y)ci2 + 7 / 62 ) is derivable in A’/ACU. Then we use the clause q(x) <= q\{x) to get 
derivations of q((m + x)a\ + xb\ + (n + y)a,2 + 2/62) in A'/ACV for all x,y > N. 

(iii) 7/(777-01+7702) is derived in A/ACU using q(x) <= qi(x)Aq2{x) as the last clause. So q\(ma\ + 
na2 ) and <12(mo 1 + na,2) are derivable in , 4 /ACU. By induction hypothesis, 3 N G N, for any 
x,y > N, qi((m + x)a\ + xbi + (n + y)a 2 + yb 2 ) and </ 2 ((m + x)a\ + xb\ + (77 + y)a 2 + yb 2 ) 
arc derivable in Gl'/ACU. Then we use the clause q(x) <= q\ (x) A q2(x) to get derivations of 
q((m + x)a\ + xb\ + (n + y)a2 + 2/62) in A'/MX for all x,y > N. 

(iv) q(ai) is derived in * 4 /ACU using the clause q{af). For any 1,1/6 N, zero(xa\ + xb\ + ya2 + 
2/62) is derivable in A’/ACU. Hence using the clause q(x + ai) <= zero(x), q((x + l)ai + 
xb\ + 2/02 + 2 /^ 2 ) is derivable in A’/ACU for all x, y > 0 . 

(v) q((m + l)ai + 7702 ) is derived in A/ACU using q(x + ai) <= qi(x) as the last clause. So 
qi(mai + 77.09 ) is derivable in A/MX. By induction hypothesis, 3 N G N, for any x,y > N, 
q\ ((to + x)a\ + xb\ + (n + y)a ,2 + 1 /& 2 ) is derivable in yf'/ACU. Then we use the clause 
q(x + a\) <= qi(x) to get derivations of q((m+l +x)a\ + xb\ + (77 + 22)02 + 2 /^ 2 ) in A'/ACV 
for all x,y > N. 

(vi) q{m.a\ + na2) is derived in A/ACU using q(x) <= q\{x + ai) as the last clause. So qi((m + 
l)ai + 71,02) is derivable in * 4 /ACU. By induction hypothesis, 3 N G N, for any x,y G N, 
cy 1 ((to + 1 + x)ai + xb\ + (n + y)a,2 + 1/&2) is derivable in gI'/ACU. Then we use the clause 
q(x + bi) <= qi(x) to get derivations of q((m + 1 + x)a\ + (x + l)6i + (n + y)a,2 + 7/62) in 
gI'/ACU for all x, y > N. It follows that q((rn + x)a\ + xb\ + (n + 22)02 + 7/62) is derivable 
in A'/ACU for all x, y > N + 1. 

(vi) The three cases involving clauses <2(02), q(x + 02) <= qi(x) and q(x) <= q±(x + 02) are dealt 
with in a si mi lar way as the corresponding cases (iv-vi). 

□ 

Lemma 17 For any state q in A and for any mi, m2, 77i, ri2 G N, ifm\a\ + 777261 + ?7i02 + 71262 G 

£ q (A'/ACU) then m 1 > m2, n\ > 712 and (mi — m2)oi + {n\ — 772)02 G C q (A/A<PX). 

Proof: We do induction on the size of the derivation of q(m\a,\ + 777261 + n 1 a2 + 77262) in A 1 /MX. 

We have the following cases : 

(i) q{m\ai + 777261 + 77102 + 77262) is derived is gT/ACU using q(x) <= zero(x) as the last clause. 
As zero(m\ai + 777,261 + 77102 + 77262) is derivable in A'/ACU, mi = m 2 and 77,1 = 772- Also 
<y(0) is derivable in A/ACU using the clause </(0). 

(ii) <7(777101 + 777261 + 77102 + 77262) is derived is ^ 4 '/ACU using q(x) <= q\{x) as the last clause. So 
gi(miai + 70261 + ?7 i02 + 77262) is derivable in * 4 //ACU. By induction hypothesis mi > m2, 
771 > 772 and gi((mi — m2)ai + (n\ — 772)02) is derivable in A/ACU. Hence using the clause 
q(x) <= qi{x), q{{m\ — 7772)01 + (771 — 772)02) is derivable is , 4 /ACU. 

(iii) q(m\a\ + 777261 + 77-102 + 77262) is derived is A'/MIU using q(x) <= qi(x) A q2(x) as the last 
clause. So 7/1(777101 + 777261 +77-102 + 77262) and 7/2(777101 + 777261 + 77102 + 77262) are derivable 
in A’/ACU. By induction hypothesis 7771 > m2, 77-1 > 772 and gi((mi — 7772)01 + (77-1 — 772)02) 
and 7 / 2 ((mi — 7772)01 + (t 7 i — 772)02) ai - e derivable in A/ACU. Hence using the clause q(x) <^= 
qi(x) A q2(x), g((mi — 7772)01 + (? 7 i — 772)02) is derivable is Gl/ACU. 
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(iv) q((mi + l)a\ + 111261 + nia 2 + 11262 ) is derived is A'/MX using q(x + a\) <= zero(x) as 
the last clause. Since zero{m\ai + 711261 + 11102 + 11262 ) is derivable in A 1 /ACU, m\ = m 2 
and iii = ii 2 - Also q(af) is derivable in „4/ACU using the clause q(di). 

(v) q((mi + 1)01 + ^1261 + 71102 + 11262 ) is derived is A'/ACU using q(x + a±) <= qi(x) as the last 
clause. So gi(miai + 10261 + 71102 + 11262 ) is derivable in A 1 /ACU. By induction hypothesis 
mi > m 2 , iii > ri 2 and q\({m\ — 102)01 + (m — 112 ) 02 ) is derivable in A/ACU. Hence using 
the clause q(x + oi) <= qi(x), q((mi — m 2 + l)ai(rai — 112 ) 02 ) is derivable is A/ACU. 

(vi) g(miai + (m 2 + l) 6 i +11102 + 11262 ) is derived is A'/ACU using q(x + bi) <= qi(x) /\posi(x) 

as the last clause. So q\(m\a\ + 771261 + 71102 + 11262 ) is derivable in A'/ACU. By induction 
hypothesis mi > m 2 , n\ > 712 and — 1112)01 + (n\ — 712 ) 02 ) is derivable in A/ACU. 

Also posi(miOi + 771261 + 71-102 + 0262 ) is derivable in A'/ACU. Hence m\ > m 2 , i.e. 
mi — m 2 > 1. Hence using the clause q(x) += qi(x + ai), q((m\ — m 2 — l)ai + (n-i — 112 ) 02 ) 
is derived is A/ACU. 

(vii) The three cases involving clauses q(x + 02 ) <+ zero(x), q(x + 02 ) <+ qi(x) and q(x + 62 ) <+ 
q\ (x) A 'pos'Ax) arc dealt with in a similar way as the corresponding cases (iv-vi). 

□ 

Also recall the property of automaton A as stated in Lemma 14 : 

£(*4/ACU) = ACU({m, n \ 3m', n' e N • (qo, m, n ) \~* M ( qf,m! , n 7 )}) (6.1) 

We name qo (which is the final state of >1) as the final state of A'. 

Now we prove the required two items in the statement of the Lemma 15 : 

1. Let t G £(*4//ACU). By definition of our signature, t =acu mioi + 771261 + 11102 + 11262 for 
some mi, m2, Hi, 712 £ N. From Lemma 17 it follows that mi > m2 and 711 > 712. 

2. To show the ‘only if’ part, assume m, n, x, y G N such that (m + ,t)oi + x6i + (n + y)o 2 + 
yl >2 G Cfril'/ACU). Since A and A! have the same final state, from Lemma 17, ma\ + 711/2 G 
£(^4/ACU). From (6.1), (qo, m, n) \~* M ( qf,m', n') for some m', n' G N. 

To show the ‘if’ part assume m, n, m!,n' G N such that (qo, m, n ) \~* M (qp,m',n'). From (6.1), 
mai + 7102 G £(v4/ACU). Since A and A' have the same final state, from Lemma 16 it follows 
that for some x, y G N (m + x)ai + xb± + (n + y)a ,2 + 1/62 G £(*4//ACU). □ 

Now we arc ready to show the undecidability result for the alternation case : 

Theorem 8 Every recursively enumerable set E of integers is effectively representable as the lan¬ 
guage C(A/ACU) for some automata A containing only epsilon clauses (3.3), base clauses (3.5), 
3—pop clauses (3.6), zero clauses (3.8) and intersection clauses (3.9). In particular emptiness of 
ACU -automata containing such clauses is undecidable. 

As in the case of general +-push clauses, the actual representation is modulo some encoding made 
precise in the proof of the theorem. 

Proof: Let A be a recursively enumerable set of integers. From Theorem 6 there is a two-counter 
machine M with initial state qo and final state qf such that 

E = {n G N | 3m', n' G N • (qo,0,n) \~* M (qf,m',n')}. 

From Lemma 15 we can compute an ACU-automaton A' containing at most clauses (3.5), (3.3), 
(3.6) and (3.9) such that 
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1. If t G £(*4//ACU) then t =acu (to + x)a\ + xfq + (n + 2/)«2 + 2/^2 for some m, n,x,y G N. 

2. For all m, n G N, (m + x)ai + xfq + (n + y)a 2 + 2/^2 G jC^/AQJ) for some x, y G N iff 
for some m!, v! G N, (go, m, n) \~* M (qf,mn'). 

Let q be the final state of A'. Define automaton B' to consist of all the states and all the clauses of 
A!. In addition B' contains fresh states q\ and qo as well as the clauses 

Qi ( 0 ) 

qi(x + ai+bi) <=qi(x) 

qi{x + a 2 +b 2 ) <=qi(x) 

qi(x + b 2 ) <=qi(x) 

q 2 (x) <t= q(x) A qi(x) 

We name q 2 as the final state of B'. We have 

C qi {B'/MX) = ACU({xai + xb\ + (n + y)ci 2 + 2/62 | x, n, y G N}) 

Hence we have the following properties of B' : 

1. If t G A(i3'/ACU) then t =acu xa\ + xb\ + (n + y)a 2 + 2/62 for some n,x,y G N. 

2. For all n G N, xa\ + xb\ + {n + y)a 2 + 2/^2 G C(A'/MX) for some x, y G N iff n G E. 
which state the precise sense in which C(J3'/ ACU) represents E. 

It follows that E is empty iff C{B'/MX) is empty, implying the undecidability of ACU-automata 
containing clauses (3.5), (3.3), (3.6) and (3.9). □ 

6.1.3 Equality Constraints and Two-Way Automata 

We have seen in Observation 9 that general two-way push clauses arc more expressive than in¬ 
tersection clauses. We now show that two-way automata, which arc restricted versions of general 
two-way tree automata, together with equality constraints in the automata [CDG + 97], arc able to 
express alternation. 

Equality constraints arc expressed in our automata using clauses of the form 

P(f(x,y,x)) 4= Pi(x) A P 2 (y) A P 3 (x) 

Note that the first and the third arguments of / arc the same variable. (In the above example / is 
assumed to be ternary. In general / can be of arbitrary arity, and any number of arguments of / can 
be the same variable.) The above clause can be read as “if the same term x is accepted at both Pi and 
P 3 , and term y is accepted at P 2 , then term f(x, y, x) is accepted at P. 

An intersection clause 


P(x) -4= Pi(x) A P 2 (x) 

can then be expressed as the pair of clauses 

P(x) <= Q(f(x,y)) 

Q(f(x,x)) 4= Pi(x) A P 2 (x) 

where / is free binary symbol and Q is a fresh state. The first of these two clauses is a free push 
clause, which arc allowed in two-way automata. The second clause is a clause with equality constraint 
as described above. 

Hence we have the result 
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Lemma 18 Adding equality constraints to two-way ACU automata makes their emptiness undeci- 
dable. 

On the other hand, we will see in Chapter 10 that two-way automata have good decidability and 
closure properties for most of the theories we deal with. 

For this reason, we disallow equality constraints in our automata in order to have decidability 
results. This contrasts with the multitree automata of [Lug03] which can be thought of as extensions 
of one-way AC automata, and which accommodate equality constraints without losing decidability 
(see also the discussion in Section 3.4. 

6.2 AC Case 

Both the undecidability results for the ACU case in the previous case can also be shown for the AC 
case. The same ideas arc used as in the ACU case. The main difference is that now our signature does 
not contain a unit for the + symbol. Hence atoms of the form q( 0) which represented configurations 
(q. 0, 0) of two-counter machines in the ACU case are not allowed. To overcome this problem we 
now encode configurations ( q , m, n ) by atoms q((m + l)ai + (n + 1)02) instead of q(ma\ + naC 
as in the ACU case. This removes the need of the 0 symbol. This however poses a new problem, that 
when a constant is removed from an atom using a general +-push clause, we can get atoms of the 
form q(ma\ ) or qfnaf) which do not represent any valid configuration. This problem is easily solved 
by using intersection clauses to filter out the ‘bad’ terms and keep only the ‘good’ ones. Instead of 
repeating all the proofs which are essentially the same as for the corresponding ACU cases, we merely 
state the main undecidability results : 

Theorem 9 Fix a signature S = {+, 0, a\ , a 2 } where a\ and 02 are constants. Then every recursively 
enumerable set E of integers is effectively representable as the language C(A/ AC) for some automata 
A containing only epsilon clauses (3.3), base clauses (3.5), +-pop clauses (3.6) and general +-push 
clauses (3.12). In particular emptiness of AC- automata containing such clauses is undecidable. 

Theorem 10 Fix a signature S = {+, 0, ai, 61 , 02 , 62 } where ci\, b\, 02 and 62 ore constants. Then 
every recursively enumerable set E of integers is effectively representable as the language C(A/AC) 
for some automata A containing only epsilon clauses (3.3), base clauses (3.5), -\--pop clauses (3.6) 
and intersection clauses (3.9). In particular emptiness of AC-automata containing such clauses is 
undecidable. 


6.3 ACUKD and ACUM Cases 

The undecidability results for the ACU and AC cases can also be adapted to the ACUD and 
ACUM cases. Instead of repeating the proofs which arc similar to the previous ones, we merely give 
the main results together with the ideas. 

Recall that ACUD is the theory of a distributive (but not cancellative) — symbol. Its axioms arc 
those of ACU, together with the axioms — (x + y) = —x + (—y), — (— x) = x and —0 = 0. 

In order to adapt the undecidability proofs to the ACUD case, first observe that if the — symbol 
does not occur in an automaton then the language accepted by the automaton modulo ACUD is same 
as the language accepted by the automaton modulo ACU. This statement however needs to be formu¬ 
lated more carefully, as we do now. (To be formal, this holds only if we consider only the ‘normal’ 
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terms from which the — symbol has been removed. For example, if some state P accepts term t when 
the automaton is considered modulo ACU, then modulo A CUB, the automaton also accepts ’unne¬ 
cessary’ terms like — (— t), £))), tE (—0) etc.) This allows us to conclude the following two 

results similar to those in the theories AC and ACU. 

Theorem 11 Fix a signature S = {+, 0, —, a\, a 2 } where a\ and a 2 are constants. Then every re¬ 
cursively enumerable set E of integers is effectively representable as the language C(A/ACUD) for 
some automata A containing only epsilon clauses (3.3), base clauses (3.5), E-pop clauses (3.6), mi¬ 
nus clauses (3.7), zero clauses (3.8) and general E-push clauses (3.12). In particular emptiness of 
ACUD -automata containing such clauses is undecidable. 

Theorem 12 Fix a signature S = {+, 0, —, ci\, b\, 02,62} where 01,61,02 and 62 are constants. 
Then every recursively enumerable set E of integers is effectively representable as the language 
£(A/ACUB) for some automata A containing only epsilon clauses (3.3), base clauses (3.5), +- 
pop clauses (3.6), minus clauses (3.7), zero clauses (3.8) and intersection clauses (3.9). In particular 
emptiness of ACVO-automata containing such clauses is undecidable. 

The minus clauses (3.7) in the above results are not necessary, but we have included them only 
because they arc paid of all classes of AQLJB automata that we study. 

Now we come to the theory ACUM which is the equational theory of Abelian groups and consists 
of the axioms of ACU together with the axiom xE (—x) = 0. In this case we first observe that we can 
do away with the general +-push clauses (3.12). This is because the general +-push clauses used in 
the previous undecidability proofs arc all of the special form q(x) E q \ (x E a.) for some states q, q\ 
and some constant a. In the ACUM case, we can replace this clause by the clause q(x — a) E q i(x). 
Hence we can show undecidability using only intersection clauses but no general +-push clauses, 
and using only two constants. Secondly the translation requires some care compared to the previous 
theories, because in this case, our clauses allow the states to accept terms like — ai,2ai — 5a2,... 
which were not present in the AC or ACU case, and which do not represent any valid register values 
of the two-counter machine. However it is easy to filter out these unnecessary terms using intersection 
clauses. This allows us to conclude : 

Theorem 13 Fix a signature S = {+, 0, —, a\, 02} where a\ and 02 are constants. Then every re¬ 
cursively enumerable set E of integers is effectively representable as the language C(A/ACVM) for 
some automata A containing only epsilon clauses (3.3), base (3.5), E-pop clauses (3.6), minus clauses 
(3.7), zero clauses (3.8) and intersection clauses (3.9). In particular emptiness of ACVWl-automata 
containing such clauses is undecidable. 

6.4 Conclusion 

We have shown that the presence of alternation or of general push clauses makes the emptiness 
problem of equational tree automata undecidable. For this we do not even arbitrary free function 
symbols, and a very small number of constants, besides the equational symbols +, —, 0 suffice. These 
undecidability proofs arc based on encodings of two-counter automata. 

These undecidability results have been shown for the theories AC, ACU, ACUD and ACUM. 
The encoding of two-counter automata is based on the fact that these theories allow us to do counting, 
by using terms of the form ma 1 + na 2 to represent register values (m , n). On the other hand, these 
methods seem difficult to generalize to the theories ACUX, ACUX n and ACUI. This is because the 
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non-linear equations in the latter theories make it difficult to do counting. For example in the case of 

the theory ACUX we have a =acux 3a =acux 5a — Similarly we have a =acuh 2 a =acui 3a _ 

In fact if all the free function symbols in the signature arc constants, then the sets T(X)/ =actjx 
and T(X)/ =ACun are both finite. Hence the previous encodings of configurations of two-counter 
automata arc clearly impossible. The decidability question of ACUX, ACUX n and ACUI automata 
in the presence of intersection clauses or general +-push clauses is currently open. 
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Troisieme partie 


Automates d’arbres equationnels 
unidirectionnels 

(One-Way Equational Tree Automata) 
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Chapitre 7 


Les outils de base 
(The Basic Toolkit) 


Dans ce chapitre nous developpons les outils de base qui nous aideront a etudier les automates 
d’arbres equationnels dans le reste de cette these. D’abord nous montrons que la vacuite des auto¬ 
mates d’arbres equationnels unidirectionnels est decidable pour toute theorie, meme celles qui ne sont 
pas etudiees dans cette these. Deuxiemement nous etudions les proprietes des derivations dans les 
automates d’arbres equationnels modulo ACU et quelques autres theories. Ces resultats nous donnent 
des outils pour manipuler des derivations utilisant les parties equationnelles des automates. Troisie- 
mement nous etudions les automates “constant-only” (a savoir les automates unidirectionnels dans 
lesquels chaque symbole libre de la signature est une constante) pour certaines theories et nous mon¬ 
trons qu’ils acceptent les ensembles semilineaires. Les resultats de ce chapitre sont tres importants en 
ce qu’ils seront utilises dans tout le reste de cette these. 
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In this chapter we develop some basic tools which will help us in studying equational tree auto¬ 
mata in the rest of this thesis. Firstly we show that emptiness of one-way equational tree automata is 
decidable for an arbitrary theory including those not studied in this thesis. Secondly we study some 
properties of derivations in equational tree automata in ACU and some other theories. These results 
give us some tools to manipulate derivations involving the equational parts of automata. Thirdly, we 
study constant-only automata (recall that these arc one-way automata in which all free symbols in the 
signature arc constants) for certain theories and prove that they accept se mi linear sets. The results in 
this chapter arc very crucial in that they will be used throughout the rest of this thesis. 


7.1 Emptiness Test for One-Way Equational Tree Automata 

First we deal with emptiness of one-way equational tree automata. The following result is an easy 
consequence of definition of equational tree automata : 


Lemma 19 For any one-way automaton A and equational theory IE, £p(.4/E) = E(£p(„4)). 


Proof: First we show that E(£p(.4)) C £p(*4/E). Let t £ E(£p(*4)). Then there is some s =e t 
such that s £ Cp(A). Then s £ £p(„4/E). Then because ofRule (E), t £ £p(„4/E). 

Next by induction on the size of the derivation it of Pit) in A/E, we show that if Pi t) is derivable 
in .4/E then there is some s =e t such that P(s) is derivable in A/%. 

Case 1. There is some t' =e t such that n is of the form 


7T 


/ 


P(t') 

P(t) 


(E) 


Then applying by induction hypothesis on i r' we have some s =e t 1 such that P{s) is derivable in 
A/%. Then we also have s =e t. 

Case 2. t = f(t\ + ... + t n ) and n is of the form 


71"1 Ttn 

Pl(tl) ... P n {t n ) 

- --- (P(f(X l,.:,X n )) 4= P 1 {X 1 ),...,P n (X n )) 

*\J (pi 5 •••? tn)) 

For each i, by applying induction hypothesis on tt, we get terms s t =e t, and derivations tt- of Pi{si) 
in ,4/E. Let s = f(s i,..., s n ). Then s =e t and P(s) has the following derivation in A/% : 

/ / 

771 7 T n 

PAsi) ... PJs n ) 

- - — (P{f(x l,...,X n )) 4= Pi(xi),...,P n (x n )) 

P(f{si,...,s n )) 


As a consequence : 


□ 


Theorem 14 For any equational theory E, emptiness of one-way E tree automata is decidable. 
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Proof: From Lemma 19, for any one-way automata A and predicate P, C p(A/K) = 0 iff Cp(A) = 
0. Hence the emptiness of one-way E tree automata is equivalent to the emptiness of one-way (non- 
equational) tree automata, and the latter is known to be decidable. □ 

Observe that the arguments in the above two proofs are rather simple, although our experience 
shows that these results usually comes as a surprise to most people. We have in fact also shown that 
emptiness of one-way equational tree automata is decidable is polynomial time for any equational 
theory, since the emptiness of one-way non-equational tree automata is decidable in polynomial time, 
in fact in linear time, as remarked in [CDG + 97], 

The above two results also hold for the "regular E tree automata” of [OhsOl] when E is linear. 
However as we have seen in Example 4, it does not hold in the case of non-linear theories in general. 
(Recall that the regular E tree automata of Ohsaki arc the equivalent of our one-way E tree automata.) 

Lemma 19 does not hold for alternating (or two-way) equational Lee automata in general. We 
have the following alternating automaton as a counter-example. 

Example 5 Consider the automaton A = {Pi(a), P 2 (b), P%(x + y) F= P\(x) A P)(y), Pa{x + y) 
<= P 2 (x) A P\(y), P(x) -4= P 3 (cc) A Pi(x)} modulo commutativity (i.e. the theory C). We see that 
Cp(A) = 0 whereas Cp(A/C) = {a + b, b + a}. In particular Cp(A/C) / C(£p(„4)). 

Theorem 14 also does not hold in general for alternating or general two-way automata. We have 
seen subclasses of automata with undecidable emptiness problem in Chapter 6 . 

We will sometimes need extended epsilon clauses : 

P(x ) < 1 = Q(x) A Pi(si) A ... A P n (x n ) (7-1) 

where the variables x,x±,.... x n arc distinct. Intuitively, this is an epsilon clause P(x) <= Q(x) 
together with emptiness tests on the states Pi,..., P n . These clauses don’t increase the expressiveness 
of one-way equational tree automata : 

Lemma 20 For any equational theory E and automaton A which contains clauses of one-way auto¬ 
maton, as well as extended epsilon clauses (7.1), we can compute a one-way automaton B such that 
for each P, Cp{A/E) = Cp(B/ E). 

Proof: Let A ex t be the set of clauses of A, which arc of the form 7 .1 in which n > 1 . Then A \ A ex t 
is a one-way automaton. We prove our result using induction on the number of clauses in A ex t- 

In case there is some clause C = Q(x) -4= R(x) AQi(xi) A... AQ n (x n ) in A ex t such that for each 
1 < i < n, CQi{A\A ex t) f 0, then let A! = (»4\ {C}) U { Q(x) < 1 = R(x)}. Since Q(x) < 1 = R(x) \= 
Q{x) < 1 = R(x) A Q i(xi) A ... A Q n (x n ), we have for every predicate P, Cp(A'/Ef) C Cp{AfE). 
To show the converse, given any derivation it in aL/E, we can assume by Observation 1 that the only 
rules used in the derivation arc of the form (C/ E) for C e A'. Then we replace all subderivations of 
the form 


R(s) 

— (Q(x) 4= R(x)/E) 


(where clearly s =e t) by derivations of the fomi 
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R(s) Qigi) ■ 
Q(t) 


Qnifr 


(Q(x) 4= R(x) A Qi(xi) A ... A Q n (x n )/E) 


where t±,..., t n arc some terms accepted at A (not A!) modulo E. Such terms exist because for 
each 1 < i < n, CqfA \ A ex t) A 0- By this construction, we get a derivation in A/E which has the 
same conclusion as n. Hence Cp(A/E) C Cp[A!/ E) for every P. We conclude that Cp[A!/ E) = 
Cp{A/E) for every P. 

Also the corresponding set A' ext has one clause less than A ex t- Hence by induction hypothesis 
we get an automaton B such that for every P, Cp(B/ E) = Cp{A'/ E). Hence B is the required 
automaton. 

On the other hand, suppose there is no clause C in A ex t satisfying the above requirement. Then no 
clause from A ex t can be used in any derivation. Otherwise we would have some minimal derivation 
using this clause. This derivation would have the form 


R(s) Ql(h) ... Q n {tn) 

m 


{Q{x) 4= R{x) A Qi(xi) A ... A Q n (x n )/ E) 


then we have Cq^A \ A ex t) A 0 for each 1 < i < n which is a contradiction. Hence A \ A ex t is 
the required automaton. □ 


7.2 Functional Supports and Reuse of Derivations 

Next we come to the next set of basic results of our toolkit. We show some results about how 
certain parts of derivations can be reused to get other derivations. These parts arc the ones that involve 
the clauses from the equational paid of the automata. We deal with the theories ACU, AC and AQLJB. 


7.2.1 ACU Derivations 

First of all we deal with the ACU case : 


Lemma 21 Let S be a set of epsilon clauses (3.3), +-pop clauses (3.6) and zero clauses (3.8). Let n 
be a derivation of an atom P(t) of the form 

tti ttn 


IT = Pl(tl) ... P n (t n ) 

m 


(S/ACU) 


Then we have : 

1 • t =ACU + ... + t n 

2. If there are derivations irf ... ,ir' n of atoms P\(si ),..., P n (s n ) respectively then there is a 
derivation A of P(s\ + ... + s n ) of the form 


/ 

U 


7r 


/ 

n 


A = Pi(si) ... P n (s n ) 
P{si A ■ ■ ■ + s n ) 


(S/ACU) 
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Proof: We do induction on the size of 7 r. We have the following cases : 

(i) n = 0 and we have 

„ _-(P(0)/ACU) 

* - P( 0 ) 

where the clause P(0) G S. The required results hold trivially. 

(ii) n = 1 and 

7T = 7Tl 


Clearly f = t i and P = P\. This case is also trivial. 


(iii) 


7Tl 


7Tr 


Pi{h 


Pn{tn 


TV = 


P\t') 
P(t ) 


(S/ACU) 

(P(x) <= P'(x)/ACU) 


where the clause P(x) <= P'(x) G S’. Clearly we have t =acu By induction hypothesis we 
have t' =acu h + • • • + t n and hence t' =acu h + ... + t n . If there are derivations tt\, ... ,P n 
of atoms Pi(si),..., P n (s n ) respectively then by induction hypothesis we have a derivation 


// 


7T 


TT-i 


7 r 


/ 

n 


Pl(si) ... Pn(s n ) 
P'(s 1 + ... + s n ) 


(S/ACU) 


The required derivation P of P(s\ + ... + s n ) is 


7 r 


7T — P'(S1 + . . . + S n ) 

P(si + • • • + s n ) 


(P(x) <= P'(x)/ACU) 


(iv) 


TTl 




^m+1 




Pi (it 


Pm. (A 


7T = 




(S/ACU) 


Arn+l(im+l) ••• Pn{t n ) 


^2 (^2 


(S/ACU) 


P(f) 


(P(x + y)^P((x)AP'(y)/ACU) 


where the clause P(x + y) P((x) A P^y) G S. Clearly we have t =acu i) + By 
induction hypothesis we have t\ =acu h + • • • + t m and t 2 =acu t m +i + ... + t n . Hence 
we have t =acu t[ + t' 2 =acu ti + ... + t n . If there are derivations tt) ,..., P n of atoms 
Pi(si),..., P n (s n ) respectively then by induction hypothesis we have derivations 


7T 


// 

1 


/ 

*1 


7 r 


/ 

m 


Pl(si) ... P n (Sm) 
P{(si + • • • + S m ) 


(S/ACU) 
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and 

/ 

Un+l 


7T 2 — ^m+l(%+l) • • • Pn(Sn) 

5/ACU) 

P (Sm+l + • • • + S n ) 


The required derivation tt' of P(s\ + ... + s n ) is 


// 

*T 


// 

7T 2 


7T 7 — P{(si + . . . + S m ) P^Sjn+l + . . . + S n ) 

P{si + . . . + S n ) 


(P(x + y) ^P{(x) AP'(y)/ACU) 


Note the form of the derivation 


□ 


7T1 7T n 


TT = Pl{h) ... P n (t n ) 

m 


(S/ACU) 


in the statement of Lemma 21. In this thesis we will frequently need to write the derivations in 
automata in this kind of format. First observe that any derivation tt of an atom Pit) in a general 
two-way ACU automaton can trivially be written in the above format by letting n = 1 and tt\ = tt. 
However if the automaton is a one-way ACU automaton then we can be more particular' and restrict 
the TTj’s to use a free pop clause at the root. For this first we have the following observation : 


Observation 11 Fix a signature S. Let S\ and ,S 2 be two disjoint sets of clauses and E be an equa- 
tional theory. Let tt be a derivation modulo E using the clauses of S i U S 2 . (i-c. the rules used in tt 
are of the form C/¥,for C G S± U <5 2 J Then tt is of the form 


TT = . 


Pi( t\) ••• iTW) 
Pi(t 0 


(S t/E) 


p 1 (t 1 ' 

1 n \ u n> 


pk n (-f-k 

1 n \ L n 


P n (fr 


(S n / E) 


P(t) 


(5'2/E) 


Proof: The derivations leading to the conclusions Pfti)’ s arc the maximal subderivations of tt which 
use at the root a rule of the form C Y /E for C 6 S\. (There may be no such subderivations, in which 
case we would have n = 0.) □ 

Intuitively the above observation allows us to label the clauses in an automaton using different 
colors, and then a derivation can be viewed as consisting of different layers, with each layer colored 
by a different color indicating the kind of clauses used in that layer. For example, if A is a one-way 
ACU-automaton then we can assume that any derivation n in the .4/ACU is of the form 


ggi) ••• ^i 1 ) 
PiWl...,^)) 


(•A free/ ACU) 


P(t) 


P 1 (t 1 ' 

1 n\ L n , 


p^(t 


Pn(fn(tlfp ■ ,t k n n )) 


- (*Afree/ ACU) 
(^ eg /ACU) 
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This result follows from Observation 11 by letting Si = A free, $2 = A eq and E = ACU. Note 
that from Lemma 21 t =acu ..., t^ 1 ) + ... + f n (th, ■ ■ ■, t ^ n ). Also note that Af ree is the 

set of free pop clauses in A since A is a one-way automaton. Hence in the above derivation, the 
subderivation leading to the conclusion Pi(fi(t], ..., t**)) uses a free pop clause at the root. 

This discussion leads to the following definition regarding ACU-derivations. 

Definition 4 (ACU-Functional Support) Let n be a derivation of an atom P(t) in a one-way auto¬ 
maton A modulo ACU. If 




TT = P\{tl) ••• Pnifn ) 

m 


(Ag/ACU) 


and if each tt, uses a free pop clause as the last clause, then we say that the (unordered) list of 
atoms Pi (ti),..., P n (t n ) is the ACU-functional support of it. 


Note that the functional support of any derivation in a one-way automaton modulo ACU is uni¬ 
quely defined (upto ACU equivalence on terms) because of the preceding discussion. Also it is clear 
that each t, is a functional term and from Lemma 21 we have that t =acu fi + ... + t n . We call this 
concept ACU-functional support to emphasize that the theory under discussion is ACU. Later on we 
will also need to define the notion support wrt other theories. 


Example 6 Consider an ACU automaton A on signature {+, 0, a, f, g}, where a is a constant and f 
and g are unary, having the following clauses : 

Ci = Pi(0) 

c 2 = Pi (a) 

C 3 = Pi(f(x))<=P 1 (x) 

C A = P :i (x) 4= Pi(x) 

c 5 = P- 3 (x + y) 4= P 3 (x) A Pi(y) 

Cq = Pi(g(x)) 4= P 3 (x) 

The following is a derivation in .4/ACU : 


7r 


P 3 (a) Pi(f(a)) 

. P3(a + /(Q)) (C 6 /ACU)' 

■ Pl(g(a + /(a))) (C 4 /ACU) 

P 3 (g(a + /(a))) 


(Ci/ACU) 


a))) Pi( 0 ) 

U—— 7 — -(C 5 /ACU) (C 2 /ACU) 

P3(g(a + t(a))) Pi (a) 

--——-— (C 5 /ACU) 

P 3 (g(a + f(a)) + a) 


This derivation can be denoted as 
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TTl 


v t = Pi{g{a +f(a))) Pi (a) 


(C 2 /ACU) 

(Aq/ACU) 


p 3(g(a + f (a)) + a) 

Observe that it\ uses a free pop clause (C 3 ) as the last clause. Hence the functional support of it 
is Pi(g(a + f(a))),Pi(a). 

On the other hand even though it can also be written in the form 


vr 2 


n = P 3 (g{a +f{a))) Pi (a) 


(C 2 /ACU) 

(Aq/ACU) 


p 3(g(a + f (a)) + a) 

however Pj,{g{a + /(a))), Pi (a) is not the functional support of it. The derivation 7 t 2 above does not 
use a free pop clauses as the last clause, rather it uses the epsilon clause C 4 . 


7.2.2 AC Derivations 


Observe that the presence of the unit symbol is not crucial for the discussion in the previous 
Section regarding ACU derivations. These results can easily be generalized for the AC case. We 
merely state the result without repeating the proof : 


Lemma 22 Let S be a set of epsilon clauses (3.3) and +-pop clauses (3.6). Let it be a derivation of 
an atom P(t ) of the form 

tt 1 ttn 


Then we have : 


It — Pi (A ) ••• Pnifn) 

m 


(5/ AC) 


1■ t =A€ A + • • • + t n 

2. If there are derivations itf ..., it' n of atoms Pi(si),..., P n (s n ) respectively then there is a 
derivation it' of P(s 1 + ... + s n ) of the form 


/ 

TTl 


It 


/ 

n 


It' = Pi(gi) ... P n (s n ) 
P(S 1 + ... + s n ) 


(5/AC) 


Similarly the notion of functional support can be defined also for the AC case : 


Definition 5 (AC-Functional Support) Let it be a derivation of an atom P(t) in a one-way automa¬ 
ton A modulo AC. If 


it 1 


7Tn 


7T 


= Pi (A 


Pn(t r , 


m 


(A eq / AC) 


and if each iti uses a free pop clause as the last clause, then we say that the (unordered) list of 
atoms Pi (p), ..., P n (t n ) is the AC-functional support of it. 


Again the functional support of any derivation in a one-way automaton modulo AC is uniquely 
defined (upto AC equivalence on terms) Also it is clear that each t r is a functional term and from 
Lemma 21 we have that t =ac A + ... + t n . 
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7.2.3 ACUO derivations 

We now give the generalization of Lemma 21 to the A CUD case. 


Lemma 23 Let S be a set of epsilon clauses (3.3), +-pop clauses (3.6), zero clauses (3.8) and minus 
clauses (3.7). Let 7 x be a derivation of an atom P(t ) of the form 


Then we have : 


tt\ ttn 

Pl(tl) ■■■ Pn(t n ) 


P(t) 


(S/ACUO) 


(i) t =acub ±i h ±2 • • • ±n In for some ±i,..., ± n £ {+, -}. (+t\ means t\.) 

(ii) If there are derivations -nf ■■■,'tr! n of atoms P\ (.s - i),..., P n (s n ) respectively, then there is a deri¬ 
vation 7 t' of P(±iSi ±2 ••• s n ) (the Aj ’s here are the same as in (i)) of the form 


/ 

*1 


TT 


/ 

n 


Pi(si) ... P n {s n ) 


P(AiSi A 2 ... A n s n ) 


(5/ACUD) 


Proof: The proof is si mi lar to the proof of the corresponding result for the ACU case (Lemma 21). 
We do induction on the size of 7 r. We have the following cases : 


(i) n = 0 and we have 


tt = (^(0)/ACUD) 


where the clause P(0) £ S. The required results hold trivially, 
(ii) n = 1 and 


7T = 7Tl 


Clearly t = t\ and P = P\. This case is also trivial. 

(iii) 

tt 1 ttn 


P\(ti) ... P n (t n ) 
tt = _ == (S/ACUD) 


P'(t') 
P(t ) 


(P(x) <<= P'(x)/ACUD) 


where the clause P(x) <= P'(x) £ 5. Cleaiiy we have t = acud f. By induction hypothesis 
we have f =acub ±i h A 2 ... A n t n and hence f =acub ±i*i A 2 ... A n t n . If there ai'e 
derivations nf ... , tt', of atoms Pi(si),. .., P n (s n ) respectively then by induction hypothesis 
we have a derivation 

/ / 

^"i Ai 


7r 


// 


Pl(si) ••• Pn(Sn) 
P'CAiSi A 2 ... ± n s n ) 


(5/ACUD) 


The required derivation tt' of P(± \ A 2 ... ±„ s n ) is 
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(iv) 


// 

7r 

P = P / (zt 1 Si ±2 • • 

• in ^n) 

P(±lSi ±2 • • 

• in ^n) 

TTl 

Ti 

Pl(H) •• 

■ Pnitn) 


(P(x) <S= P'(x)/ACUD) 


P\t') 

Pit) 


(S/ACUD) 

(P(-x) <= P / (x)/ACUD) 


where the clause P(—x) <= P'{x ) G 5. Clearly we have t =acub — By induction hypothesis 
we have t' =acub ±Hi ±2 ... ± n and hence f' =acub =Fi*i =F 2 • • • =Fn t n (where =f* = 
{+, —} \ {±i}). If there arc derivations P 1: ..., P n of atoms Pi(si), ..., P n (s n ) respectively 
then by induction hypothesis we have a derivation 


7T, 


7T„ 


VT = Pl(si) 


Pni^n) 


P'(±lSi ± 2 • • • ±n S n ' 
The required derivation P of P(=FtSi =F 2 • • • Tn s n ) is 


(S/ACUO) 


7r 


P — P'(±lSl ±2 • • • ±ra S r 
P(“Fl®l ~F2 • • • Tn S n 


(P(-x) <= P / (x)/ACUD) 


(v) 


7Ti 




^m+l 


Pi (ft 


7T = 


AM 


Md (S/ACUP) T±T ra+l) 


P2^2) 


7Tn 


P n (t r 


Pit) 


(S/ACUO) 

(P(x + y) <= P{(x) A P^(r/)/ACUD) 


where the clause P(x+y) P[(x) f\P 2 iy) G S'. Clearly we have f =acub t\ +t 2 . By induction 
hypothesis we have t[ =acub ±Hi ±2 • • • ±m and t 2 =acub ± m +iWi ± m +2 • • • ± n t n - 
Hence we have i =acub t\ T t' 2 =acu ±iH ±2 • • • ± n t n . If there are derivations P 1 ,...,P n 
of atoms Pi(.si),..., P n (s n ) respectively then by induction hypothesis we have derivations 


7Ti 




<= Pi(st) 


Pn(-S»n) 


Pl(±lSl ±2 • • • im %) 


(S/ACUD) 


and 


Tn+1 


7T, n 


^2 Pm+l(®m+l) ••• PniSn) 

P (im+l^m+l dz?n+2 • • • Pn Sn) 


(S/ACU) 
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The required derivation -k' of P(±isi ±2 • • • ± n s n ) is 


7 r 


// 

1 


// 


^2 


7T 


’ — P{(±iSl ±2 • • • im ®m) dz m _|_2 . . . in S n ) 


P(±lSi ±2 • • • ±n Sn) 


(C/ACUD) 


where C 1 = P(x + y) <t= P{(x) A P^iv)- 

□ 

Next we arc going to define the equivalent of ACU-functional support for the theory A CUD. 
Si mi lar to the ACU theory, we first note that that if A is a one-way AOLJD-automaton then we can 
assume that any derivation n in the A j AQLJB is of the form 


ggl) ••• 


(A /ree /ACUD) 


m 



Pn(fn(tn, ■ 


(A free / ACUD) 
(A e g/ACUD) 


This result follows from Observation 11 by letting .S'] = Af ree , S-> = A eq and E = ACUD. Note 
that the set A eq in this case also contains clauses of the form P(—x) <= P\ (x) which were not present 
in the ACU case. Also from Lemma 23 we have t =acub ^ 1 )±2 • • .± n /n(in> ■ ■ ■ An 71 )- 


Definition 6 (ACUD-functional support) Let n be a derivation of an atom P(t) in a one-way auto¬ 
maton A modulo ACUD. If 


7Tl 


TTr 


7 r 


= Pi(h 


P n (t r 


Pit) 


(Ae g /ACUD) 


and if each 7Tj uses a free pop clause as the last clause, then we say that the (unordered) list of 
atoms Pi (A),..., P n (t n ) is the ACUD-functional support of it. 


As in the ACU case, the ACUD-functional support of any derivation in a one-way automaton 
modulo ACUD is uniquely defined (upto ACUD equivalence on terms). Also it is clear that each A is 
a functional term and from Lemma 23 we have that t =acub ± i A ±2 • • • ±n in- 


7.3 Constant-Only Automata 

Now we come to the third ingredient of our toolkit. The results in this Section arc in fact the most 
important results in the thesis in the sense that all further results make abundant use of the results 
in this Section. We study the constant-only ACU, AC and ACUD automata. In particular we show 
that the languages accepted by these automata arc exactly semilinear sets of Presburger-definable sets, 
upto some encoding. 
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7.3.1 ACU Automata 

In this section, we recall some important results on constant-only ACU automata which will be 
useful throughout this thesis. We fix a signature E = {+, 0, a \..... a p } where a\,, a p arc mutually 
distinct constants. Every term t 6 T(E) can be written in the form t =acu Xa=i n > a < with n, £ N. 
This term can be identified with the p-tuple (m,..., n p ) £ N p . Hence the ACU-automata on E can 
be viewed as acceptors of subsets of N p . 

First of all we look at some other acceptors of such sets. 

Definition 7 (Semilinear) A linear set is a set of the form \v + n \ u\ + ... + n^k \ n \,..., rik £ N} 
for some u,u \...., Vf. £ N p . A se mi -linear set is a finite union of linear sets. 

Definition 8 (Presburger Arithmetic) By Presburger arithmetic we mean the first order logic in 
which the function symbols are 0,1,+ and the predicate symbols are <,=. The domain of inter¬ 
pretation is fixed to be N and the interpretations of the symbols 0,1, + , < and = are also fixed to be 
the usual functions and predicates on N. 

Thus to define the semantics of any formula in Presburger arithmetic, we only need to give an 
assignment which maps variables to natural numbers. Hence a Presburger formula can be considered 
as defining a set of tuples of natural numbers. If 0 is a Presburger formula and x\,... ,x n arc distinct 
variables such that all the free variables of o arc in the set {x i,..., x n }, then the set defined by <f>, 
written as [ 0 ] is the set of all tuples v £ N n such that the assignment which maps every x r to iAi), 
makes 6 true. Then we have the following result 

Lemma 24 ([GS66]) The semi-linear sets are exactly the sets definable in Presburger arithmetic. 

In particular - the semilinear sets are closed under union, intersection, complementation and projec¬ 
tion, since these operations correspond to the logical operation V, A, -1 and existential quantification 
3 respectively. 

Now we look at the relationship between se mi linear sets and constant-only ACU automata. For 
this we first need a translation of our automata to context free grammars, si mi lar to the one defined 
for constant-only A tree automata in Chapter 4. However now our signature also contains the symbol 
0 which was not present in the discussion on A tree automata. Hence we need to extend the str 
function defined earlier. Observe that for any term t £ T(E), we have t =au £Jq + • • • + for some 
1 < i 1 ...., i n < p. n > 0. As in the A case, this representation is unique. The difference from the 
A case is that we allow n to be 0, to be able to represent the term 0. Let T be the set of constants of 
E. The function str : T( E) —> T* is defined as str(t) = aq ... at n where t =au aq + ... + a, n . 
In particular we have str( 0) = e. The range of str is now the whole of T*, including the empty 
string. Hence we have a one-one correspondence between AU-closed tree languages built on E, and 
the subsets of T *, with the correspondence being defined by str. 

Now we define a translation from constant-only AU tree automata to context free grammars. This 
translation is defined by the function gram which is an extension of the gram function defined in 
Chapter 4 for the A case. Now we need to take care of the new kinds of clauses P(0) which were not 
present in the A case. Given a constant only automaton A on signature E, we define a context-free 
grammar gram(A) as follows. The non-terminals are the predicates of A. T is the set of terminals. 
The start symbol S is the final state of A. We have production rules in gram(A) corresponding to 
clauses of A as indicated in the table below. 
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P(x + y) <= Pffx) A P 2 (y) 

P - P\P'2 

P(a ) 

P —> a 

P(x ) Pffx) 

P^ Pi 

P( o) 

P-r e 


Similarly given a context free grammar G = ( V. , T, P, S) such that P contains only production 
rules of the form P —> P\ P>, P —> a, P P\ and P —> e, we have a constant-only automaton 
gram^ 1 (G) (which is uniquely defined upto renaming of variables in clauses) on signature TU{+, 0}, 
such that its set of predicates is V and the final state is S. 

Then we have the following result : 

Lemma 25 P(t ) is derivable in A/M3 iff P =>* ram ^ str(t). Hence str(C(A/ 'ATJ)) = L(gram 

M))- 

Lemma 26 Constant only AHJ tree automata on signature E accept exactly the languages C such that 
str(C) is a context-free language on symbols from E \ {+, 0}. 

Proof: From Lemma 13, every context free language not containing e is generated by a context free 
grammar with rules of the form A —r BC and A —> a. Hence a context free language L containing 
e is generated by the context free grammar obtained by adding the rule S —> e to the context free 
grammar which generates L \ {e}. Here S is the start symbol. (Recall that L\ {e} is context free since 
L is context free.) 

Hence every context free language L is generated by a grammar G containing only production 
rules of the form A —► BC, A —» a and A —► e. From Lemma 25 we have L = str(C(gram~ 1 
(GO/AU)). 

Conversely, it A is a constant-only AU automata, then gram(A) is a context free grammar. 
Hence L(gram(A)) is a context free language. Also from Lemma 25 we have str{C{AfMJ)) = 
L(gram(A)). □ 

This shows the equivalence between constant-only AU automata and context free languages. By 
adding the axiom C to the theory AU we get the theory ACU. We now show that constant-only 
ACU automata arc equivalent to semilinear sets. For this we use the connection between context free 
languages and se mi linear sets given by Parikh’s Theorem. First we define the commutative image 
comm(x) of a string x G (E \ {+,0})* to be the tuple v e N p such that for 1 < i < p, u(i) is 
the number of times the symbol a, occurs in the string x. Given a language LC(E\ {+, 0})*, the 
set comm(L) C N p is defined as usual, and is called the commutative image of L. Parikh’s Theorem 
states that 

Theorem 15 (Parikh [Par66]) Semilinear sets are exactly the commutative images of context free 
languages. 

Let us also emphasize that we have effective procedures for converting context free languages to 
semilinear sets and back, which is necessary for decidability proofs in the thesis. 

If t G T(E) and t =acu Xa=i n i a i l h en we have comm(str(t )) = (ni,... ,n p ). Hence we 
have a one-one correspondence between the terms on E modulo ACU, and the tuples in N p . This also 
gives a one-one correspondence between ACU-closed languages on signature E and the subsets of 
N p . From Lemmas 26 and Theorem 15 and modulo this correspondence of languages, we have : 

Theorem 16 Constant-only ACU automata accept exactly semilinear sets. 
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AC Automata 

While the results in this section have till this point been restricted to the theory ACU, we can 
also prove analogous results for the AC theory. Consider constant only AC automata on a signature 
E = {+, ai,..., a p }. Since the U equation is absent from the theory, we use the str function defined 
in Chapter 4 for terms modulo A. Again, if t =ac Ya =i then comm(str(t )) = (ni,..., n p ). 

Clearly comm(str(t )) / (0,,..., 0). Hence in the AC case, we have one-one correspondence bet¬ 
ween AC closed languages and subsets of N p which don’t contain the zero tuple. Also recall from 
Chapter 4 that constant-only A automata accept exactly the context free languages which don’t contain 
e. From Theorem 15, we deduce that the commutative images of such context free languages arc 
exactly the semilinear sets which don’t contain the zero tuple, equivalently they arc exactly of the 
form S \ {(0,..., 0)} where L is a se mi linear set. We conclude that 

Theorem 17 Constant-only AC automata accept exactly the sets of the from S \ {(0..... 0)} where 
S is a semilinear set. 

In particular - this class of languages are closed under intersection and complementation. 

7.3.2 ACUO Automata 

Let E be a signature containing only constants, together with the symbols +,0 and —. Let A 
be a constant-only ACUO automaton on signature E with predicates in P. Except for clauses (3.7) 
which introduce ’ symbols, A would have been just an ACU automaton. In the ACUO case, the 
languages are in fact very similar to semilinear sets. We now make this more precise. Recall that 
Ey = £ — {+, 0, —} is the set of constants in E. Let E y = {a a G Ey} be a set of fresh constants. 
Terms built from EyU{+,—,0} modulo ACUO are of the form a i+...+ a m — b\ —...— b n (m , n > 0) 
while those built from Ey U Ey U {+, 0} modulo ACU are of the form a\ + ... + a m + b\ + ... + b n 
(■ m, n > 0). Hence there is a natural one-one correspondence between terms built on Cy u {+, —, 0 } 
modulo ACUO and terms built on E U Ey U {+, 0} modulo ACU. As a result there is a natural one- 
one correspondence between ACUB-closcd languages on signature Ey U {+, —,0} and ACU-closed 
languages on signature E U Ey U {+, 0}. We now show that A is equivalent to a constant-only ACU 
automaton modulo this correspondence of languages. 

We introduce new predicate symbols P for every FgP. Define automaton B to consist of clauses 
corresponding to clauses of A as defined in the following table : 


clause of A 

clauses added to B 

P{x) P\(x) 

P(x) <= P\{x) 

P{x) A= Pl(x) 

p{x + y) 4= Pi{x) A P 2 (y) 

P(x + y) <= Pi Or) A P 2 (y) 
P(x + y) 4 = Pi0*0 A P 2 (y) 

P( o) 

P( o) 

P(0) 

P(a) 

P(a) 

P(a) 

P(—x) <t= Pi(x) 

P(x) <1= Pi(x) 

P(x) <1= Pi(x) 
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Note that the — symbol does not occur in B. It is built on the signature A j IJ Yj U {+, 0}, and the 
set of predicates {P, P \ P £ P}. The coiTespondence between A and P is stated by the following 
two lemmas, both of which are proved by easy inductions on derivations. 

Lemma 27 IfP(ai + ...+a m — b\...— b n ) is derivable in ,4/ACUD then P(ai + ...+a m -\-bi + ...+b n ) 
and P(oI + ... + an + b\ + ... + b n ) are derivable in P/ ACU. 

Proof: The derivation 7r of P(a.\ + ... + a m — b±... — b n ) can be assumed to use only rules of the 
form C /ACILJO where the clause C & A. We do induction on the size of the derivation 7 r. We have 
the following cases : 

(i) 

_ _-(P(0)/ACUD) 

n ~ P(0) 

where the clause -P(O) £ A. Then the clauses P(0), P(0) £ B. Hence we have the derivations 

-(P(0)/ACU) 

P(0) 

and 

(P(0)/ACUB) 

inP/ACU. 

(ii) 

-(P(o)/AOJD) 

vr _ 

where the clause P(a) £ A. Then the clauses P(a), P(a) £ B. Hence we have the derivations 


-(P(o)/ACU) 

P(a) 

and 


inP/ACU. 

(iii) 


—— (P(o)/ ACUD) 
P(o) 


7 T — Pi(ai + ... + a m 


P(ot + • • • + a m 


b\ — ... — bn) 

b\ — ... — b n ) 


(P(s) <= Pi (x)/ACUD) 


where the clause P(x) •£= Pi(x) £ A. Then the clauses P(x) Pi(x), P(x) P\(x) £ A. 
By induction hypothesis the atoms P\(a\ + ... + a m + b\ + ... + b n ) and Pi(aT + ... + an + 
bi + ... + b n ) are derivable in P/ACU. Hence we have the derivations 


Pi (oi + • • • + a m + bi + ... + b n ) 
P(a i + ... + a m + b\ + ... + b n ) 


(P(x) *= Pi (x)/ACU) 
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and 


(iv) 



Pi(ai + .. 

• + d m + bi + . 

• • + b n ) 


P(ai + .. 

• + dm + b\ + . . 

• + b n ) 

in 23/ACU. 





7r = Pi(ai + . 

.. + a m — b\ — . 

- b n ) 


P(-oi - 

... — a m + b\ + 

... + bn) 

where the clause P(— x) <= 

P\ (x) G A. Hence the c 

B. By induction hypothesis the atoms P\(a\ + ... + a, 

6i + ... + b n 

) arc derivable in 23. Hence we have the c 


Pi (at + •• 

• + d m + bl + .. 

■ + b n ) 

j 


P(o l + •• 

• + d m + bi + .., 

■ + b n ) 

and 





Pi(ai + •• 

. + a m + bi + .. 

• + b n ) 

( 


P(ai + .. 

• + d m + bi + ... 

• + bn) 


(P(x) <= Pi(x)/ACU) 


(P(-x) <= Pi(x)/ACTJD) 


(P(x) <= Pi(x)/ACU) 


infi/ACU. 


(v) 


Cfc) 

W-^^ Z (P(x + y) <= Pi(x) A P 2 (y)/ACUP) 

P W_, a* + 2^ - ]L Cfc - Z_, d «) 

i j k l 

where the clause P(x + y) <t= Pi(x) A P 2 (y) G A Hence the clauses P(x + y) <t= Pi (x) A 
P 2 (y), P(x+y) <^= Pi(x)AP 2 (y) G 23. By induction hypothesis, the atoms PiQE a i+£fc Cfc)- 
Pi(£i ai + Cfc), P 2 (£j bj + £ di) and P 2 (£ i bj + £ d z ) are derivable in 23. Hence we 
have the derivations 


Cfc) ftiE^+E d t ) 
i k j l 

P {^2 a i + ^2 bj + Cfc + di 
i j k l 


(P(x + y) 4= Pi(x) A P 2 (y)/ACU) 
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and 


Pi(^2 a i + Yl Qc) di) 

i k j l 

P C^2^i+^2 b j + 5Z Cfc + £ di) 


(P(x + y)^ Pi(x ) A P 2 (y)/ACU) 


i j k l 


in £>/AQLJ. 


□ 


Lemma 28 If P(a\ + ... + a m + b\ + ... + b n ) or P(a± + ... + a m + bi + ... + b n ) is derivable in 
B/ ACU then P{a\ + ... + a m — b\ — ... — b n ) is derivable in Gl/ACUD. 

Proof: We assume that the derivation it of P(a\+...+a m +b\ +...+!>,,) or P(dT+...+dff+bi+...+b n ) 
in 23/AQJ uses only rules of the form C /ACU where the clause C G B. We do induction on the size 
of 7 r. We have the following cases : 

(i) 

„ _-(P(0)/ACU) 

* - P(0) 

where the clause P(0) G B. Then the clause P(0) G A. and we have the derivation 

— (P( 0)/ACUD) 

in Gl/ACUD. 

(ii) 

„ _ =— (P(0)/ACU) 

n - P( 0) 

where the clause P(0) G B. Then the clause P(0) G A. and we have the derivation 

— (P( 0 )/ACUO) 

in Gl/ACUD. 

(iii) 

_ _-(P(o)/ACU) 

vr _ 

where the clause P(a) G B. Then the clause P(a) G A, and we have the derivation 

-(P(o)/ACUB) 

P(a) 


in _4/ACTJ]D>. 
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(iv) 


_ _ (P(o)/ACU) 
^ “ P(a) 


where the clause P(a) £ B. Then the clause P(a) £ A, and we have the derivation 


in .4/ACUO. 

(v) 


-(P(o)/ACUD) 

P(a) 


7T — Pi(ai + ... + a m + 61 + ... + b n ) 
P(fli + ... + a m + b\ + ... + b n ) 


(P(x) 4= Pi(x)/ACUB) 


where the clause P(x) 4= P\ (x) £ B. Then the clause P(x) 4= P\ (x) £ A. By induction 
hypothesis, the atom Pi(ai + ... + a m — 61 — ... — b n ) is derivable in A/AOLJB and hence we 
have the derivation 


in *4/ACU. 
(vi) 


Pt(«l + ~ b\ — ... — b n ) 

— ---— (P(x) 4 = Pi(x)/ACU) 

P(fl 1 + ••• + dm — b\ — ... — b n ) 


7 T — Pi(ai + ... + a m + b\ + ... + b n ) 
P(ai + ... + a m + b\ + ... + b n ) 


(P(x) <s= Pi(x)/ACUD) 


where the clause P(x) 4= P\(x) € B. Then the clause P(x') -4= P\ (x) € A. By induction 
hypothesis, the atom Pi(ai + ... + a m — b\ — ... — b n ) is derivable in Tl/AOLJD and hence we 
have the derivation 


in ,4/ACU. 

(vh) 


Pl(fll + ••• + Q"in — b\ — ... — b n ) 

—---— (P(x) 4= P 1 (x)/ACU) 

P(ai + ... + a m — b 1 — ... — b n ) 


7 T — Pi(ai + ... + a m + b\ + ... + b n ) 

P(o 1 + ••• + dm + b\ + ... + b n ) 


(P(x) 4= Pi(x)/ACUB) 


where the clause P(x) 4= P i(x) £ B. Then the clause P{—x) 4= Pi(x) £ A. By induction 
hypothesis, the atom Pi(ai + ... + a m — b\ — ... — b n ) is derivable in A/ACUB and hence we 
have the derivation 
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in^/ACU. 

(viii) 


P\(ai + ... + a m — b\ — ... — b n ) 
P(—a i — ... — a m + b\ + ... + b n ) 


(P(-x) 4= Pi(x)/AOJ) 


71 — Pi (a i + ... + a m + 6i + ... + b n ) 

P{a i + ... + a m + 6i + ... + &n) 


(P(x) 4= Pi(x)/ACUB) 


where the clause P(x) 4= P\ (x) G £>. Then the clause P{—x) 4= P\ (x) G A By induction 
hypothesis, the atom Pi(ai+ ... + a m — b\ — ... — b n ) is derivable in A/ACUB and hence we 
have the derivation 


Pl(oi + + o. m — b\ — ... — b n ) 

P(—a i — ... — a m + b\ + ... + b n ) 


(P(-x) 4= Pi(x)/ACU) 


in^4/ACU. 

(ix) 

Y a i+Y^ 

^-U=- (P(x + y)^ Pi(x) A P 2 (y)/ ACU) 

22^ + 22^+22^) 

i j k l 


P <E 


where the clause P(x+y) -4= P\(x)AP 2 (y) G B. Then the clause P(x+y) -4= P\(x)/\P- 2 (y) G 
A. By induction hypothesis, the atoms P\ (J^ t at — c k) and P 2 ( JE bj ~J2idi) are derivable 
in Al/ACUB and hence we have the derivation 


Pi £ a >-E Ck) p^Y. b i - E di) 

U-W-—- (P(x + y)^ Pi(x) A P 2 (y)/ACUB) 

p (z_, + X, - X, Cfc - X d *) 

i j k l 

in A/ACUB. 

(x) 


X <h + y c k y b 3 + 22 di 

i k j l 

p CY Wi + 22 b i + X Ck + E di) 

i j k l 


(P(x + y) 4= P\ (x) A P 2 (y)/ACU) 
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where the clause P(x+y) <= Pi (re) A P2 (y) G B. Then the clause P(x+y) <= P\{x) /\P- 2 {y) G 
A. By induction hypothesis, the atoms P\ a, — Cf. ) and P-A'Yhj bj — df) are derivable 
in A/ACUB and hence we have the derivation 


Cfc) ^<E - E di) 

—U-Va- v-'m + y) <= p i(^) A ^(y)/ACUO) 

p (zZ + zl b j - zZ Ck ~ z2 di) 

i j k l 

in yl/ACUO. 

□ 

Now if the final state of A is P then we name the same P as the final state of B. Then from Lem¬ 
mas 27 and 28 and modulo the correspondence of languages described above we have £(*4/ACUB) = 
£(£>/ACU). Hence modulo this correspondences of languages we conclude that 

Theorem 18 The language accepted by a constant-only ACUB automata with constants from E j is a 
semilinear set with constants from Ey U Ey. Conversely, a semilinear set with constants from E f U Ey 
can be represented as accepted by a constant-only ACUB automaton with constants from E f. 

7.4 Conclusion 

We showed that one-way equational tree automata accept the equational closures of the languages 
accepted by the corresponding non-equational tree automata. This implies that emptiness of one¬ 
way E tree automata is decidable for any E. We then showed how certain parts of our derivations 
in equational tree automata can be reused to get new derivations. Finally we discussed an important 
class of our automata, called the constant-only automata, for which we showed characterizations using 
semilinear sets of Presburger-definable sets. Together the results in this Section will be used very often 
throughout the rest of this thesis. 



Chapitre 8 


Intersection des automates equationnels 
unidirectionnels 

(Intersection of One-Way Equational 
Tree Automata) 


Dans ce chapitre nous etudions la cloture par intersection des automates unidirectionnels modulo 
nos theories equationnelles. Nous montrons que les automates unidirectionnels, modulo toutes les 
theories associatives et commutatives que nous considerons (AC, ACU, ACUX, ACUX ra , ACUD, 
ACUM, ACUI), sont clos par intersection. En ce sens, ces automates ont un comportement similaire 
aux automates d’arbres non equationnels. Mais ceci ne se generalise pas a toute theorie equationnelle. 
En particulier nous avons vu au chapitre 4 que les automates unidirectionnels modulo A ne sont pas 
clos par intersection, une consequence du fait que la classe des langages algebriques n’est pas close 
par intersection. Nos resultats de cloture impliquent aussi la decidabilite du vide de V intersection, 
qui est la question importante en verification de protocoles cryptographiques. Notons aussi que la 
decidabilite de l’appartenance est impliquee par ces resultats. 
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In this chapter we study the closure under intersection of one-way automata modulo the various 
equational theories. We show that the one-way automata modulo all the associative commutative theo¬ 
ries that we consider (AC, ACU, ACUX, ACUX n , ACUD, ACUM, ACUI) are closed under inter¬ 
section. In this respect these automata have similar behavior than non-equational tree automata. This 
result however does not generalize to all equational theories. In particular we have seen in Chapter 4 
that one-way A tree automata are not closed under intersection. Our closure results also imply de¬ 
cidability of intersection-emptiness, which is the relevant question in verification of cryptographic 
protocols. Also note that decidability of membership is implied by these results. 

To deal with intersection, our stalling idea is the product construction for classical tree automata. 
In this approach given two automata A\ and A 2 , we construct an automaton A which has states (P. Q) 
where P is a state in A\ and Q is a state in A 2 . We intend (P. Q) to accept the intersection of the 
languages accepted by P and Q. Ignoring epsilon clauses for the moment, it then suffices to add 
clauses 


(P,Q)(f(x 1 , . . . ,X n )) 4= (Pl,Ql)(xi) A ... A ( P n ,Qn)(x n ) 

to A corresponding to every pair of clauses 

P(f(x 1 , • • ■ ,£„)) <1= Pi(xi) A ... A P n (x n ) G Ai 
1) • • • >•£«)) 4= Ql(xt) A ... A Qn(%n) F A'2 

Clearly this is not sufficient in the equational case, as shown in the following example : 

Example 7 Consider automata 

Ai = {Pi(a),P 2 (b),P(x + y) 4= Pi(x) A P 2 (y) 

A 2 = {Qi(b),Q 2 (a),Q(x + y) <= Qi(x) A Q 2 (y) 

The new automaton A obtained using the above procedure is 

A = {( P,Q)(x + y) 4= (Pi,Qi)(x) A(P 2 ,Q 2 )(y) 

This means that [P. Q ) does not accept any term. However if we are working modulo the theory 
C of commutativity, then both the terms a + h and b + a are accepted at each of the states P and Q. 

8.1 One-Way ACU Automata 

We show in this section that one-way ACU automata arc effectively closed under intersection. Fix 
a signature S containing at least the symbols + and 0. Let A 1 and A-> be one-way equational tree 
automata on signature S. We will define an automaton A such that £(A/ACU) = C( A \ /ACU) n 
C(A 2 /MX). Let the set of states in A 1 and A 2 be P and Q respectively. 

We introduce new predicate symbols ( P. Q ) and (P. Q) for (P. Q) 6 PxQ. Predicate (P, Q) 
is expected to accept the intersection of the languages accepted by P and Q. (P, Q) is expected to 
accept the functional terms among the terms accepted at ( P,Q ). We introduce new constants a p.q 
for each ( P,Q ) G P x Q. In the construction below, a p.q acts as abstraction for terms accepted 
at P,Q. Define automaton B\ = A\ eq U {P(clp } q) \ ( P,Q ) G P x <Q>}. Define automaton B 2 = 
A 2eq U {Q(o p.g) | (P- Q) G P x Q}. B, intuitively represents the set of possible derivations using 
the clauses of Ai eq , with the constants being used as abstractions for functional terms. For (P, Q) G 
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PxQ, £p(£>i/ACU), Cq( 62 /ACU) are semilinear sets, hence £p(13i/ACU) Cl £q(£> 2 /AOJ) is a 
semilinear set. Hence we can define constant-only automaton A p.Q with a final state Fpq such that 
C Fpq {Ap,q/KCV) = £p(Si/ACU)n£Q( 62 /ACU). We assume that the automata A\, A 2 , Ap^q's 
arc all built from mutually disjoint sets of states. 

The required automaton A contains 

1. clause ( P , Q)(x) <= Fp^q(x) for (P, Q) G P x Q. 

2. clauses from ApQ eq for (P, Q) e P x Q. 

3. clause R(x) <= (P', Q')(x) for each base clause R(ap/ t Qi) in Ap,q for (P, Q) £ P x Q. 

4. clause 

(P,Q)(f(x 1 ,.. .,x n )) <= (Pi,Qi)(xi) A ... A (P n ,Qn)(x n ) 

for clauses 

P(f , . . . , X n ) ) 4= P\ {xf) A ... A Pn(x n ) F A\free 
Q(f (^T j • • ■ j X n )) "4= Ql (xi ) A ... A Qni.Xn) £ ^ 2 /ree 

Clearly A is a one-way automaton. That it represents the intersection of pi 1 and A 2 is stated by 
Lemmas 29 and 30 respectively. 

Lemma 29 If P(t) and Q(t) are derivable in *4i/ACU and A 2 /ACU respectively, then (P, Q)(t ) is 
derivable in A/ACU. 

Proof: We do induction of the sum of the sizes of the derivations 7 Ti and P 2 of Pit) and Q(t) 
respectively. tt\ must have functional support of the form P\(t\),... ,P n (t n ) and P 2 must have a 
functional support of the form Q](t\),..., Q n (t n ) such that t = ti + ... + t n and we have 


Pl(tl) .. 

• Pn(t n ) 

(A leq /ACU) 

(8.1) 

P(h +. 

• • + tn) 


Qi(ti) ... 

Qn{tn) 

(A 2eq / ACU) 

(8.2) 

Q(h + • • 

■ + tn) 



By definition of B\, the atoms Pi(ap lt Q 1 ),..., P n (ap n} Q n ) are derivable in £>i/AOJ. Since 
Aieq C 13\ , hence from (8.1) and using Lemma 21, P{ap 1 ,Q 1 + -. ■ + o,p n ,Q n ) is derivable in 13 1 /ACU. 
Similarly Q{ap 1) Q 1 +... + ap n ,Q n ) is derivable in ,82/ACU respectively. Hence Fp,Q{ap 1) Q 1 +... + 
a P n ,Qn ) i s derivable in -4 p,q/ACU. This derivation it 3 must have a functional support of the form 

R\ {a PuQl ),..., R n (ap n , Qn ) and we must have 


713 


-Ri(qpi,Qi) ••• Rn(ap n ,Q n ) 
Fp,Q( a PpQi + • • • + ap„,Qn) 


(^AQ e(7 / ACU ) 


(8.3) 


For each 1 < i < n, since A is functional we must have t, = fftj,.... i ■') for some free /, 
of arity k t . As P,(tj) is in the functional support of tt\, we must have a clause Pi(fi(x 1 , ..., Xk, ) <= 
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Pl(xi)A.. ,AP^ i (xk i ) in Ai such that for 1 <j< ki, P/* (t{) is derivable in Ai/ACU with derivation 
strictly smaller than tt\. Similarly we have a clause Qi(fi(x i,... ,x ki ) 4= Qj(x i) A ... A Q ki (x ki ) 
in A 2 such that for 1 < j < ki, Qj(tj) is derivable in A 2 /AQLJ with derivations strictly smaller 
than 7 T 2 - By induction hypothesis we have derivation of ( P{ , Qj)(l\) in A/ACU. Also the clause 

(Pi,Qi)(fi{x 1 ,... ,x ki )) 4= (P/,Q})(x 1 ) A ... A (P ki , Q ki )(x ki ) G A. Hence the atom (Pi, Qi)(U) 
is derivable in A/AOJ. Since the clause R, (a p i ,g ( ) is in A/\q. hence the clause R, (x) 4= ( Pi,Qi)(x ) 
is in A. Hence Ri(ti) is derivable in A/ACU. Also Ap,Q eq A A. Hence using (8.3) and Lemma 21, 
we get a derivation of Fp,q(t\ +.. . + t n ) in A/ACU. Finally we use the clause ( P, Q)(x) -4= Fp j q(x) 
to get a derivation of ( P , Q)(t ) in A/ACU. □ 

Lemma 30 For ( P , Q) G PxQ, if(P , Q)(t ) is derivable in A/ACU then P(t ) and Q(t.) are derivable 
in Ai/ACU and A 2 /ACU respectively. 

Proof: We do induction on the size of the derivation 7 r of (P. Q)(t). Since (R. Q)(x) -4= F p,g(x) is 
the only clause which has the predicate ( P , Q) in the head, 7 r uses it as the last clause, and Fp^Q(t) 
is derivable in A/MAU. Again by examining the clauses in A, we conclude that the derivation tt± of 
F PtQ (t) must have functional support of the form ( I’\ ■Q\)(t\), • • •, ( P n ■ Q n )(t n ) such that t =acu 
ti + ... + t n and 7 Ti must be of the form 


(Pi,Qi)(h) 

Ri(t\) 


(Ri(x) 4= (Pi,Qi)(x)) 


Fp,Q(h + • • • + t n ) 


AAAM * ( C5,)W) 

=AM (Ap, q jac U) 


(8.4) 


Hence the clause Ri(ap u Q i ) G Ap t Q for 1 < i < n. Hence Ri(ap it Q t ) is derivable in Ap t Q /AOJ. 
Also Ap,Q eq C A. Hence using (8.4) and Lemma 21, F]\q( a ,g, + ... + ap„,Q„) is derivable in 
A p ,q/ACIL 

Now for 1 < i < n, since A is functional, L = fi(tj ,..., tf’) for some free f t of arity 
ki and some terms tt-'*. As Pi,Qi(ti) is in the functional support of 7Ti, there is a clause 
Pi,Qi(fi(x i,...,x ki )) 4= (P/ ,Ql)(x 1 ) A ... A (P.j Ci ,Qi i )(xk i ) in A corresponding to clauses 
Pi(fi(x 1 , • • • ,x ki )) 4= P/(x 1 ) A .. .A P^(x ki ) and Qi(fi(x 1 ,.. .,x ki )) 4= Qj(x 1 ) A ... AQf (x ki ) 
in A 1 free and A 2 free respectively, and for 1 < j < ki, (P/ ■ Ql)(t() is derivable in A/ACU. By 
induction hypothesis we get derivations of P/{t\) and Q/it/) in Ai/ACU and A 2 /ACU respectively. 
Hence using the above clauses from A 1 j ref: and A2/ re e respectively, P r (ti) and Qi(U ) are derivable 
in Ai/ACU and A 2 /ACU respectively. 

Since Fp tQ (ap 1 : Q 1 + ... + a Pn ,Q n ) is derivable in Ap,q/ACU so P(a PltQl + ... + a Pn ,Q n ) must 
be derivable in B\ /ACU. This derivation (call it is 2 ) must have a functional support P\ (ap, _q,),..., 
Pn(ap„,Q n ) and we must have 


vr 2 


p i( a Pi,Qi) ■■■ Pn(ap n ,Q„) 
P ( a Pl,Ql + ■ ■ ■ + a Pn,Qn) 


(B leq /ACU) 


(8.5) 


We know that Pi(ti),... ,P n (t n ) are derivable in Ai/ACU. Also by definition B\ eq = Ai eg . 
Hence from (8.5) and Lemma 21 P(t\ +... + t n ) is derivable in Ai/ACU. Similarly Q(t\ +... + t n ) 
is derivable in A 2 /ACU. □ 
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Let P and Q be the final states of A\ and A 2 respectively. We name ( P, Q) as the final state 
of A. From Lemmas 29 and 30, jC(p,q) (A/ACU) = £p(_4i/ACU) H £(^ 2 /ACU) implying that 
£(„4/ACU) = £(„4i/AQLJ) n PAW ACU). This allows us to conclude that 

Theorem 19 One-way ACU -tree automata are effectively closed under intersection. 

8.1.1 One-Way AC Automata 

Observe that the presence of the 0 symbol is not at all crucial for the above construction and proofs 
for ACU automata. It is easy to modify the above proof to work for the AC case. Theorem 17 gives us 
a correspondence between constant-only AC automata and semilinear sets not containing the 0 tuple. 
Without repeating the whole proof we merely state the result : 

Theorem 20 One-way AC -tree automata are effectively closed under intersection. 

8.2 One-Way ACUX Automata 

Next we show closure under intersection of one-way ACUX-automata. Fix a signature X contai¬ 
ning at least the symbols + and 0. Consider a one-way ACUX automaton A with predicates from 
some finite set P. We introduce new predicate symbols (P. Q) and (P. Q) for each P. Q 6 P. and sets 
of constants Si = {ap.Q P- Q E P} and S '2 = {bp,Q P, Q £ P}. The order of P, Q in all these is 
ignored. Instead of intersecting two distinct automata, we compute an automaton A inter in which state 
(P. Q) represents intersection of P and Q for all P, Q. (P, Q) accepts the functional terms among the 
terms accepted at ( P , Q). 

Define automaton B = A eq U{P(ap^Q) 1 P(bp^Q) \ P, Q 6 P}. From Theorem 16 Cp(B/ ACU) is 
a semilinear set for every P. For each S' C S' 2 , we define C p,s to be the set of those t £ Cp(B/ ACU) 
such that each constant in S occurs in t a positive and even number of times and no constant from 
S '2 \ S' occurs in t. This operation is clearly Presburger-definable, and hence C p,s is also a semilinear 
set. Define C' P s to be the language obtained from £p t s by deleting all symbols of S' 2 , i.e., taking 
the image of C PyS under the projection Xjj + YU,j n d b P,Q :i ^ J2ij m ij a P i ,Q j • £'p,s is 

again a semilinear set. Given P, Q £ P and S,T C S 2 , clearly C' P s FI C'q t is a semilinear set. By 
Theorem 16, we can construct a constant-only automaton Ap,q,s,t with final state Ppxys.T such that 
£Mp,Q,S, r/ACU) = C'p s n C'q j. We assume that automata Apxy.s.rC are built from mutually 
disjoint sets of (fresh) states. 

The required automaton Amter has the following clauses : 

- for each P, Q e P and each S,T C S 2 , the extended epsilon clause (P, Q)(x) <1 = Pp,q, 5 ,t(®) A 

R')( x R,R')- 

- clauses of Ap,Q,s,T eq for each P,Q £ P and S', T C 5 2 - 

- for each base clause R{ap^p") in some Ap t Q t s,T~ the clause R(x) ■£= ( R ', R")(x). 

- for each pair of clauses 


P(f (x\ ,..., x n ) ) P\ (xi) A ... A P n (x n ) 

Q{f (x\, . . . , X n jj Ql(xi) A ... A QniXn) 

in A f ree , the clause 

(P,Q)(f(x 1, . . . ,X n )) 4 = (Pl,Ql)(xi) A ... A (P n ,Qn)(x n ) 
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The idea in defining B and A p.q.s.t is to compute all possible derivations using clauses of the 
equational part. The a, b’s act as abstractions for the functional terms. If t =acux t' then we must have 

t =ACU tl + ... + t m + Ul + Vl + ... + U n + V n , t' = + + v\ 

being functional, such that f t =acux Ui =acux Vi, >>', =acux u\. The a’s act as abstractions for the 
tj, t-’s and the b "s for the u,. v % , if. vfs. This is the reason we delete the V s from C Pt s, representing 
the cancellations using X. Even though we can forget the actual values of Ui, vf s, we need to be sure 
that there exist some terms to fill their place : this is the reason for the emptiness tests in the extended 
epsilon clauses of Ainter■ In this way we take care of the non-linearity and cancellation in the equation 
x + x = 0 using some kind of intersection-emptiness tests, and the remaining equations are dealt with 
using the results on ACU automata. This is made precise by Lemmas 31 and 32. 

Lemma 31 If P(t') and Q(t") are derivable in „4/ACU and t' =ACUX t", then for some t =acux t', 
(P, Q)(t) is derivable in -4 m j er /ACU. 

Proof: We do induction on the sum of the sizes of the derivations i\\ and n 2 of P(t') and Q(t") 
respectively. Since t! =acux t" we must have 


t —ACU + • • • + t'm + ( u i + u'{) + ... + ( u' n + u'lfj (8.6) 

t =ACU 1 1 + ... + t m + ( v'i + v'l) + ... + ( v'p + Up) ( 8 . 7 ) 

such that m, n,p > 0, tf t” arc functional and t\ =acux f{ for i < i < m, u ' t , u" arc functional 

and u[ =acux u'l for 1 < i < n, and u ■, v'l are functional and v[ =acux u'l for 1 < i < p. 

and 7T2 must have functional supports of the form P\ (t \)...., P m {t' m ), Ii(u'f), I[(u '[),..., I n (u' n ), 
I'niu'l) and • • •, Qmit'ln ,), JiK), J[ {v'l),J p {v' p ), J' p {v'p) respectively such that 


VTl = Pi(ti 

) • • • Pmifm) 

/iK) /{«) 

• • • 4 «) 4(0 


./ACU) 

(8.8) 


P(t i + -. 

-L t' 

• * ^ b m 

+ (rti + rti) + .. 

• + ( w n + u n)) 


vr 2 = Qi(fi) 

• • • Qmifm) 

JtK) j(K) 

• • • Jn( v n ) Jn( v n ) 


./ACU) 

( 8 . 9 ) 


P(K + 

At" 

+ K + 0 + -- 

• + K+<)) 



By definition of B, the atoms Pi{a PltQl ),P m {ap rn ,Q m ), h(b IuI (), I[ ( 6 ^,/j), • • •, I n (h n ,r n ), 
l' n {h n jr ) arc derivable in U/ACU. Also A eq C B. Hence from ( 8 . 8 ) and Lemma 21, P(a Pl ,Qi + - • • + 
aPm,Qm+ 2b hJ' 1 +■ • -+2&/„,/;) is derivable in B/ ACU. Similarly Q(a PuQl +.. ■+a PmtQrn +2bj 1}J ^+ 
■■■ + 2 bj^jd) is derivable in B/ ACU. Let S = { 6 /l)7 /,..., &/„,/;} and T = {bj uJ /,..., b Jpi<7 /}. We 
have a PuQl + ... + ap m ,Q m + 2&/ li7 / + ... + 2 b In j> n G C P) s and a PuQl + ... + ap rn ,Q m G C PS . 
Similarly a Pl)Ql + ... + a PmiQm G C QT . Hence F P , Q ,s,T{ a Pi,Qi + • • • + ap m ,Q m ) is derivable 
in Arq^t/ACU. This derivation -k 3 must have functional support of the form I f («/<, _q ,),..., 
Rm{a Pmt Q m ) and we must have 


P3 


R ii a Pi,Qi) ••• Rm ( a Pm,Q m ) 
Fp,Q,S,T(a Pl , Q 1 + • • • + a Pm)Qm ) 


(A P , Qeq / ACU) 


( 8 . 10 ) 
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Since Pj(t'/) and Qi(t'/) arc in the functional supports of 7 Ti and 7 t 2 respectively, we have t\ = 
.. ,t[ ki ) and t'l = frit" 1 ,... ,t" k ‘) for some free /, of arity ki such that t'j =acux t" j , 
the derivation of Pj(i') uses P,(/,(x'i,... -F= P./(x i) A ... A P ki (x ki ) as the last clause, the 

derivation of Qi(t") uses Qi(fi(x\,..., x ki )) 4= Q}(x 1 ) A ... A Q^x^) as the last clause, and 
for 1 < j < ki, the atoms P 3 (t ( 3 ) and Q\(t" 3 ) are derivable in A/MAP. By induction hypothe¬ 
sis, we have t 3 =acux t'j so that {/’/.(/')(/') is derivable in A/ACU. Let ti = fi(tj ,... ,t ki ). 
( Pi,Qi){U ) is derivable in A/ACU using the clause (Pi, Qi)(fi(x i, ...,x Xi )) 4= (P 3 , Qj)(xj) A.. .A 
(P^*, Since the clause Ri(ap i ^Q i ) £ AP, Q hence the clause Ri(x) (Pi,Qi)(x) £ A. 

Hence R\(ti),..., R m (t m ) are derivable in Ainter/ ACU. Also Ap,Q eq C Amter■ Hence from (8.10) 
and Lemma 21, Pp,g,s,r(H + - • • +tm ) is derivable in Ainter I ACU. Let the required t be ti + .. .+t m . 
Also by induction hypothesis we must have uj =acux u'jNk =A€UX v' k such that ( Ij,I'-)(uj) and 
(.//,., J' k )(v k ) are derivable in A m u, /r /ACP for 1 < j < n and 1 < k < p. Then we have the following 
derivation of ( P, Q)(t) in Ai„t er /ACU 

Fp,Q,S,T(t) (I 1 ,l' 1 )(u 1 )...(I n ,l' n )(u n ) (J l ,J' l )(v l )...(J p ,J' p )(v p ) 

( P,Q)(t) 

where C is the clause (P, Q)(x) -F= Fp,q,s,t(x ) A /\ 6 ,^sut(F, R')(xR y Ri). Also it is clear that 

t =acux t' ■ D 

Lemma 32 ForP,Q £ P, if(P,Q)(t) is derivable in Ainter / ACU thenfor some t' =acux t" =acux 
t, P(t') and Q(t") are derivable in A/ACU. 

Proof: We do induction on the size of the derivation it of ( P. Q)(t) in A m t er /AOLJ. From examina¬ 
tion of the clauses in Ainter, " must use a clause 

C = (P, Q)(x) 4= F P) q,s,t(x) A f\ (R, R')(xR y p>) 

^r,r'4SUT 

as the last clause, for some S,T C £ 2 . Hence Ap.qwvHU is derivable in Ainter /ACU with a 
derivation n\ which is strictly smaller than ir. Also we have terms t r. n> for each /; R r in S U T, 
such that (R, R')(tR y R') is derivable in Ainter /ACU with a derivation which is strictly smaller than 
7 r. From induction hypothesis we get terms t' R R , =acux t' R r/ =acux Irm' such that : 

R(t' R R i) and R'(t R R ,) are derivable in A/ ACU, for each 6 p t p/ £ S U T. (*) 

Again from examination of the clauses in Ainter, "i must have a functional support of the form 
(Pi,Qi)(t\), ■ ■■, (Pm, Qm)(t m ) for some m > 0 such that t. =acu A + ... + t m and is of the 
form 


(Fl,9l)(tl) (AW <= (A?.)W) (Fm,9 ; ,)( ‘ m> (A, W <= (a.)W) (8 11) 

• • • P-m/dm) 


Fp,Q,S,T(tl + . . . + t m ) 


Ri(t±) 


(^P,Q,S,T e9 /ACU) 
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Hence the clause P^op^qJ G Ap t Q t s,T f° r 1 < i < m. Hence R l (ap t .Q i ) is derivable in 
-4 p,Q,S,t/ACU. Also Ap tQt s,T eq C A in ter■ Hence using (8.11) and Lemma 21 Fp,Q,s,T(a Pl , Ql + 
• • • + a Pm,Qm ) is derivable in ^4 p,q,s,t/ACU. So a Pl , Ql + ... + a Pmt Q m G C' PS . Therefore we must 
have b hJ ^..., b IntI > n G S(n > 0) such that a PuQl + ... + a PmtQrn + 2b h ^ + ... + 2 b IntI > n G 
£p(P/ACU). 

For 1 < i < m, since A is functional, hence there is a free /, of arity ki, and terms tj,..., t kt such 
that t,{ = .... t k ‘). Since (P, . Qi)(U) is in the functional support of tti, it uses as last clause a 

clause of the form (P, : . Qi)(fi(x i,..., x ki )) <= (P/,Q})(x{) A ... A (P k ' i , Q ki ) (x ki ) corresponding 
to clauses Pi(fi(x i,... ,x ki )) <= P/(x i) A ... A P ki (x ki ) and Qi(fi(x i,... ,x fci )) <t= QjOi) A 
... A Q ki (x ki ) of A/ re e so that (P/, Ql)(t{) is derivable in Ainter/ACU using a derivation strictly 
smaller than vri. By induction hypothesis, we have t' 3 =acux t" 3 =acux t\ such that P 3 (t ' 3 ) and 
Qlit'- 3 ) are derivable in A/ACU. Let t\ = fi(t'l,... ,t' ki ) and t” = . -,t" ki ). Then P*(f •) 

is derivable in A/ACU using the clause Pi(fi(x i ,... ,x ki )) <= P}{x\) A ... A P ki (x ki ). Similarly 
Qi(t”) is derivable in A/ACU. 

Now the derivation ^2 of P(ap 1) Q 1 +.. ■ + ap m ,Q m +2b Il ji +.. . + 2 bj n j^) in Z3/ACU must have 
a functional support of the form P} (a Pl:Ql ),..., P^(ap mtQm ), Ii(b IuI >), - - -, 

ll(bj n j’ n ) where pj G {Pi, Qi} and l\,l\ G {A, /•}. We have 


7T2 


= P!(ap 1 , Ql ) ... Pl{ap m , Qm ) l\{b hA ) l\{b hA ) ... lj(b In , Ik ) ll(b In , Ik ) 
P ( a Pl,Ql + • ■ ■ + a Pm,Qm + 2b h,l\ + • • • + 2 bi n ,p n ) 


(Beg/. ACU) 

( 8 . 12 ) 


Since each bj.ji G S, by (*) I t (t' ; A and I'(t'j A are derivable in A/ACU. Recall that P,(t ■ 

l Xl J i x A i 

and Qi(t") are derivable in A/ACU. Also B eq = A eq . So from (8.12) and Lemma 21 P(j\ + .. . +P J 

fT I -ft I I -ft I -ft \ 1C tn A / AiT^lTT -f t c ip +"\ A 


t\i /' + 4if' + •■• + 7 , + f j n j-/) is derivable in A/ACU, where t] G {t^, t'(} and t/ p , t 7 p 


, G 


Let the required t' be 4 + ... + t T m + + t] uI , + ... + + t) n I ,) 


t 


ft 


ft 


ft 


ft 


). Then 

t =acux t' and Pit') is derivable in A/ACU. Similarly we can find t" such that t =acux t" and 
Q(t") is derivable in A/ACU. □ 


Theorem 21 One-way ACUX automata are effectively closed under intersection. 

Proof: Let Ai and A 2 be two one-way automata whose intersection we want to compute. We as¬ 
sume without loss of generality that they are built from disjoint sets of states Pi and P 2 respectively, 
and that their final states are P and Q respectively. Define automaton A = A 1 U A 2 on set of states 
P = Pi U P 2 . We compute automaton Ainter corresponding to the automaton A, as described in 
the above procedure. Ainter is not exactly a one-way automaton because of the presence of the ex¬ 
tended epsilon clauses. However from Lemma 20, we have a one-way automaton A' inter such that 
A (Winter/AOJ) = C q (A in terl ACU) for each State q of Ainter- 

1. First we show that £p(Ai/ACUX) n £q(A 2 /ACUX) C A^g^A'^gr/ACUX). Let s G 
£p(Ai/ACUX) n £q(A2/ACUX). From Lemma 19 we have terms t' =acux t" =acux s 
such that t' G £p(Ai/ACU) = £p(A/ACU) andt" G £q(A 2 /ACU) = £q(A/ACU). From 
Lemma 31 there is at =acux t' such that t G C (p^(Ainter / ACU) = £(p,Q)(A' inter / ACU) C 
£(P,Q) (A'inter /ACTJX). Since s =acux t we have s G £(p,Q)(A- nter /ACUX). 
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2. Next we show that £(p,g)(v4( nter ./ACUX) C £p(Ai/ACUX) n £q (Ah/ACUX). Let s £ 
£(p,Q) (A'inter /ACUX). Since A' is a one-way automaton, by Lemma 19 there is a t =acux 
s such that t £ £(p,Q)(A^ nter ,/ACU) = C(p t Q) (Ainter/& CUX). By Lemma 32 we have 
t' =acux t" = acux t such that t' £ Cp(„4/ACU) = Cp(»4i/ACU) C >Cp(„4i/ACUX) and 
t" £ £g(A/ACU) = £q(^ 2 /ACU) C £q(A 2 /ACUX). Since t =acux t' =acux t" hence 
t £ £ P (Ali/ACUX) and t £ £q(A 2 /ACUX). Hence t £ £p(^i/ACUX)n£ Q (^ 2 /ACUX). 

Hence by naming (P, Q) as the final state of A' inter we have £ (.A 7 /ACUX) = £(Ai/ACUX) n C( 
A 2 /ACUX). □ 

8.2.1 One-Way ACUX n Automata 

The result on closure under intersection of one-way ACUX is easily generalized to the case of 
ACUX n automata. Since the proofs in this case arc very si mi lar to the ACUX case, we merely detail 
the construction which ideas of proofs. Fix some n > 2, so that we arc interested in the theory 
ACUX ra . (The ACUX case corresponds to the case n = 2.) Whereas in the ACUX case, we needed to 
compute intersections of pairs of states, in this case, we will need to compute intersections of n-tuples 
of states. 

Consider a one-way ACUX n automaton A with predicates from some finite set P. We introduce 
new predicate symbols (Pi,... , P n ) and (Pi,... , P n ) for each Pi i ■ ■ ■ i Pn F IP. and sets of constants 
Si = {a Pl ,...,p n | Pi,..., P n £ P} and S 2 = {&i\,...,p„ | Pi,..., P„, £ P}. The order of Pi,..., P n 
in all these new predicates as well as constants is ignored. As in the ACUX case, instead of intersec¬ 
ting two distinct automata, we compute an automaton Ai n t er in which state (Pi,..., P n ) represents 
intersection of states P\., P n for all Pi,..., P n . (Pi,..., P n ) accepts the functional terms among 
the terms accepted at (Pi..... P„). 

Define automaton B = A eq U (Pi(ap 1 ,...,p„), P(6p 1 ,...,p n ) | Pi,..., P n £ P}. From Theorem 16 
£p(£>/ACU) is a semilinear set for every P. For each S C S 2 , we define £p,s to be the set of 
those t £ jCp(B/ ACU) such that each constant in S occurs in t a kn number of times for some 
k > 1, and no constant from S 2 \ S occurs in t. This operation is clearly Presburger-definable, and 
hence Cp.s is also a se mi linear set. Define C PS to be the language obtained from Cp t s by deleting 
all symbols of Pj. C' p s is again a se mi linear set. Given Pi,..., P n £ P and T\.... . T n C S' 2 , 
clearly C' Pi T FI ... FI £ Pn Tn is a semilinear set. By Theorem 16, we can construct a constant-only 
automaton J4p l! ... i p n; T 1 ,...,T n with final state Pp 1 ,...,p„,T 1 ,...,T n such that ^(^p 1 ,...,p„,Ti,...,T n /ACU) = 
C'p Ti FI... fi C' Pn T . We assume that automata Ai> t ...,;p„’s arc built from mutually disjoint 

sets of (fresh) states. 

The required automaton Ainter has the following clauses : 

- for each P\..... P n £ P and each Ti,..., T n C ,S’ 2 , the extended epsilon clause (Pi,..., P n ) 
(x) <=■ Pp lr ..,P n ,Ti,...,T n (aO A Afe i j li ... iJ?n eTiU...UT n (- R l’ • • -,Rn)(xR i,..,P n ). 

- clauses of Ap l! ...,p n! T 1 ,...,T neg for each Pi,..., P n £ P and Ti,..., T n C S 2 . 

- for each base clause R(ap lt . ,.,p n ) in some Ap lr .. t p nt T 1 ,...,T n , the clause R(x) <1= (Pi,..., R n ) 
(*)• 

- for each n-tuple of clauses 

P 1 (f{x 1 ,... ,x m )) 4= Pi(xi) A ... A P^{x m ) 


P n (f(x 1 ,... ,x n )) 4= P[\x 1 ) A ... A P^Xm) 
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in A free, the clause 

(P\Pppn)(f( Xl , • • •, x m )) <= {Pl..., if )(si) A ... A {Pi,..., P”)(x m ) 

Although our main purpose is to compute intersections of pairs of states, in order to take into 
account for the cancellations using the X n equation, it is necessary to compute intersections of n- 
tuples of states. As in the ACUX case we prove the following two results : 

Lemma 33 If P\{t\), , P n (t n ) tire derivable in A/ACU and t.\ =acux„ • • • =acux„ t n , then for 
some t =ACUX n h, (Pi,- - • , P n )(t) is derivable in Anter/A OJ. 

Lemma 34 For Pi, ..., P n 6 P , if (Pi, ... , P n )(t ) is derivable in Ai n ter /&-CU then for some t\ 
=A€UX„ • • • =A€UX n t n =ACUX n t, Pi(h), ..., P n (t n ) are derivable in A/MX. 

We don’t need special states of the form (P, Q) to represent intersection of pairs of states, since 
the states of the form ( P, Q...., 0) serve this puipose. We conclude that 

Theorem 22 One-way ACUX n automata are effectively closed under intersection. 

8.3 One-Way ACUKD Automata 

We show in this section that one-way A CUD automata arc effectively closed under intersec¬ 
tion. Fix a signature X containing at least the symbols + , — and 0. Let A\ and A 2 be one-way 
equational tree automata on signature X. We will define an automaton A such that £(_A/ACUD) = 
£(Ai/ACUD) FI £(A 2 /ACUD). Let the set of states in A\ and A -2 be P and Q respectively. 

We introduce sets S = {ap t Q \ (P, Q) G P x Q} and S = {apff \ (P , Q) G P x Q} of new 
constants. We don’t distinguish between a.p,Q and uqj>. Define automaton B\ = A\ eq U {P(a P)Q ) | 
(P, Q ) € PxQ}. Define automaton B 2 = A 2 e qO{Q(ap^Q) \ (P, Q) G PxQ}. From Theorem 18, for 
(P, Q ) G P x Q, £p(^i/ACUD), £q(£> 2 /ACUD) are semilinear sets on constants from SUS. Hence 
£p(Hi/ACUD) Fl £q(^ 2 /ACUD) is a semilinear set. Hence we can define constant-only ACUD- 
automaton Apq (on constants from S ) with a final state Fp.Q such that C Pp Q (A /AOLJD) = 
£p(^i/ACUD) Fl £q(^ 2 /ACUD). We assume that the automata A\,A 2 ,Ap i q , s are all built from 
mutually disjoint sets of states. 

We introduce new predicate symbols (P, Q) and (P, Q ) for (P, Q) G P x Q. The required auto¬ 
maton A contains 

1. clause (P, Q)(x) <= Fp,q(x ) for (P, Q) G P x Q. 

2. clauses from Ap,Q eq for (P, Q) G P x Q. 

3. clause R(x) <A (P', Q')(x) for each base clause R(a P ^Q>) in Ap/y for (P, Q) G P x Q. 

4. clause 


(P,Q)(f(x 1 , . . .,X n )) A= (Pi,Qi)(xi) A ... A (P n ,Q n )(Xn) 


for clauses 


• • • 5 ^n)) ^ -Pl(^l) A ... A Pnip^n) ^ free 
Q(f (xi j . . . , 3? n )) *4= Qi {pC\ ) A . . . A Qnip^n) £ ^2 free 
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Clearly A is a one-way ACUB-automaton. That it represents the intersection of A \ and A-> is 
stated by Lemmas 35 and 36 respectively. 

Lemma 35 IfP(t) and Q(t) are derivable in Ai/ACUB and A 2 /ACUB respectively, then (P, Q)(t) 
is derivable in A /ACUD. 

Proof: We do induction of the sum of the sizes of the derivations 7Ti and 7r2 of P(t) and Q(t) 
respectively. We have functional terms s\,... ... ,t n for some m,n > 0 such that t =acub 

si + . . . + s m —1 \ —.. . — t n . 7Ti must have functional support of the form Pi(si), ..., P m (s m ) , P[(t\), 
..., P' n (t n ) and 7T2 must have a functional support of the form Qi(si),..., Qm(s m ), ■ ■ ■ ,Qn( 

t n ) and we have 


TP = Pl(si) ... 

Pn(Sm) 

p[it t) 

... p' n (t n ) 

P(si + 

• • • + S m 

- h - .. 

• tn) 

7r 2 = Ql(s 1 ) ... 

Qni^Sm) 

Q’Ah) . 

• • Qn(tn) 

Q(si + 

... + s m 

-A-... 

- t n ) 


(^l leg/ACUD) 


(A 2 e 9 /ACUB) 


(8.13) 


(8.14) 


By definition of B x , the atoms Pi(a PuQl ),..., P n (ap m , Qm ), P^ap^),..., P^ap^J are de¬ 
rivable in B] /ACUD. Since A\ f:q C B\, hence from (8.13) and using Lemma 23, P(ap 1 ,Qi + • • • + 
aPm,Qm - a P[,Q' l - ■■■- aPAQ'J is derivable in 2VACUD. Similarly Q(a PuQl + ... + a PrntQm - 
a P[,Q' 1 ~ ■ ■ - ~ a C',,Qn) * s derivable in P 2 /ACUB respectively. Hence Fp,Q{ap 1) Q 1 + ... + op m ,Q m — 
a P[,Q' 1 ~ • • ■~ a P' n ^Q\ 1 ) ' s derivable in A pq/ACUD. This derivation 713 must have a functional support 
of the form R 1 (a PuQl ),..., R m{ap m , Qm ), Pi(«P(,Qi> • • • , R ni a PPQ ' n ) and we must have 


n3 = Rijap^Qi) 


R n(ap m ,Qm) r 'i{0'P[,q' 1 ) ••• KMpAqQ 


Fp,Q{ap 1 ,Q 1 + ... + a Pn 


,Qn 


a P{,Q[ 


a PFQ'r 




(8.15) 


For each 1 < i < m, since is functional we must have s t = fi(sj,, s kl ) for some free f, 
of arity k,. As Pfsi) is in the functional support of -k\, we must have a clause Pi(fi(x 1 ,..., xp) -4= 
P/(a;i) A. .. AP ki (x ki ) in A\ such that for 1 <j< ki, P- (s{) is derivable in A \/ACUD with deriva¬ 
tion strictly smaller than tt\. Similarly we have a clause Qi{fi{x \,..., xp) <= Q\ (x \) A.. .A Q ki (xp) 
in A ‘2 such that for 1 < j < ki, Qj(sj) is derivable in A 2 /ACUB with derivations strictly smal¬ 
ler than 7 r 2 . By induction hypothesis we have derivation of (P/. Qj)(sj) in A/ACUB. Also the 
clause (Pi,Qi){fi{xi,...,x ki )) <= {P},Q}){x t) A ... A (P ki ,Q ki )(x ki ) G A. Hence the atom 
{Pi,Qi)(si) is derivable in A/ACUB. Since the clause Ri(ap u Q i ) is in Ap,q, hence the clause 
Ri{x) -4= (Pi, Qi)(x) is in A. Hence Ri(si) is derivable in A/ACUO for 1 < i < m. Similarly R'i(U) 
is derivable in A/ACUB for 1 < i < n. Also Ap,q eq A A. Hence using (8.15) and Lemma 23, we 
get a derivation of Pp,g(s 1 + ... + s m — t\ — ... — t n ) in A/ACUB. Finally we use the clause 
(P, Q)(x) F PtQ (x) to get a derivation of (P, Q)(t) in A/ACUB. □ 


Lemma 36 For ( P,Q ) G P x Q, if (P,Q)(t) is derivable in A/ACUB then P(t) and Q(t.) are 
derivable in Ai/ACUB and A 2 /ACUB respectively. 
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Proof: We do induction on the size of the derivation it of (P, Q)(t). Since ( P. Q)(x) <= F pq(x) is 
the only clause which has the predicate (P. Q) in the head, 7 r uses it as the last clause, and Fpcfft) 
is derivable in *4/ACU. Again by examining the clauses in A, we conclude that the derivation 7 Ti of 
Pp, Q (t ) must have functional support of the form (P 1 ,Q 1 )(s 1 ),..., (P n , Q n )(s m ), (P(, Q[)(ti),..., 
(P ' n , Q' n )(t n ) such that t =acud «i + ... + s n - t\ - ... - t n and 7Ti is of the form 


(Pl,Ql)( Sl ) (Pm,Q,n)(s m ) (P{,Q[)( h) 

i?l(si) ... Rm\Sm ) Rlv'l) ••• 

Fp ) q(s 1 + • • • + S m — t\ — . . . — t n ) 

where C % = Ri(x) A= (Pi, Qi)(x)) for 1 < i < m and C[ = 
1 < i < n. 


R! n (tn.) 

= (^P,Q eg /ACUD) 

___ (8.16) 
R'.(x) <= (P/,Q')(x)) for 


Hence the clause Ri(ap i) Q i ) £ Ap t Q for 1 < i < m. Hence Ri(ap u Q i ) is derivable in Ap^q/ 
ACUB for 1 < i < m. Similarly R'^apiqi) is derivable in .Tp^q/ACUB for 1 < i < n. Also 
Ap,Q eq C A. Hence using (8.16) and Lemma 23, Fp, Q (ap uQl +.. . + ap„ iQ „ - a P -... - a P ^ Q ' n ) 
is derivable in ^T^q/ACUB. 

Now for 1 < i < m, since s* is functional, s* = fi(sj,... ,t ki ) for some free /) of arity 
ki and some terms sj,..., s ki ■ As Pi,Qi(si ) is in the functional support of tti, there is a clause 
Pi,Qi(fi(x i,...,x ki )) <= (Pi, Q})( x i) A ... A ( P ki ,Q ki )(x ki ) in A corresponding to clauses 
Pi(fi(x i,...,x ki )) 4= Pl(xi)A...AP ki (x ki ) mdQi(fi(xi,...,x ki )) 4= Q}(x{) A ... A Q ki (x ki ) 
in A\free an d ^ 2 free respectively, and for 1 < j < ki, (P- ,Qj)(sj) is derivable in A/ACUB. By 
induction hypothesis we get derivations of P-(sj) and Qj(sj) in „4i/ACUB and „4 2 /ACUB respec¬ 
tively. Hence using the above clauses from A\f ree and A‘)f r ee respectively, Pi(si) and Qi(si) are 
derivable in „4i/ACUB and „4 2 /ACUB respectively for 1 < i < m. Similarly Pj(ti ) and Qj(ti ) are 
derivable in Ai/ACUB and „4 2 /ACUB respectively for 1 < i < n. 

Since Fp,Q(a PuQl + ... + a Pm)Qm - Op/^/ - ... - a P ^ Q 'J is derivable in Ap,q/ACUB so 
P( a Pi,Qi + • • • + op mi Q m —ap^g^ — ... — ap^Q^) is derivable in £>i/AQLJB. This derivation (call it 
tt 2 ) has a functional support Pi(a PuQl ),..., P m (ap m , Qm ), P[ (op/ iQ /),..., Pffap'.Q'J and we have 


tt 2 = P i( Q A.Qi) ••• p m(aPm,Q ,J P[{ap[,Q\) ••• P>P',Q'J /ACUD) (8.17) 

P( a Pi,Qi + • • • + ap m ,Qm - a P{,Q ' 1 -■■■ - a PPQ'J 

We know that P\(si ),... , P n (s m ), P{(t \),... , P' n (t n ) are derivable in Ai/ACUO. Also by defi¬ 
nition B\ eq = A\ eq . Hence from (8.17) and Lemma 23 P(s\ + ... + s m — t\ — ... — t n ) is derivable 
in Ai/ACUO. Similarly Q(si + ... + s m — ti — ... — t n ) is derivable in A 2 /ACU. □ 

Let P and Q be the final states of A\ and A-> respectively. We name (P, Q) as the final state of 
A. From Lemmas 35 and 36, A^q^^/ACUO) = £p(^li/ACUB) n £(^l 2 /ACUB) implying that 
£(^l/ACUD) = £(Ai/ACUD) fl £(^l 2 /ACUD). This allows us to conclude that 


Theorem 23 One-way ACUB-tr.ee automata are effectively closed under intersection. 
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8.4 Cancellative ’ Symbol: Abelian Groups Automata 

We show in this section that the Abelian groups automata are effectively closed under intersection. 
Fix a signature E containing at least the symbols +, — and 0. 

Let A be a one-way ACUM automaton with predicates in P. As in ACUX case we use new 
predicate symbols ( P, Q) and ( P. Q) for each P. Q G P. We will construct automaton Ai n t er in which 
state ( P , Q) accepts intersection of the languages accepted at P and Q. The new sets of constants 
used are Si = {a PtQ \ P,Q <E P}, S 2 = {b P}Q \ P,Q <E P}, Si = {aRff \ P, Q G P} and 
S 2 = {b P , Q \P,QeP}. 

Define automaton B = A eq U {P(a p> Q), P(b P ^Q) P. Q G P}. From Theorem 18, for every 
PgP, £p(S/ACUD) is a semilinear set on the symbols from Si U Si U S 2 U S 2 . For each S C S 2 , 
define C P _s to be the set of those t £ £p(S/ACUD) such that 

- each b P) Q G S occurs in t at least once 

- no b P ^Q G S 2 \ S occurs in t 

- for each bpq G S 2 , b Pj Q occurs exactly as many times as bp.Q in t. 

Then Cp.s is a semilinear set on constants from Si U Si U S 2 U S 2 . Let C' PS be the language 
obtained from Cp.s by deleting all the symbols from S 2 US 2 . This is again a semilinear set on constants 
from Si U Si. For P. Q G P and S. T C S 2 C' Ps FI C'q t is a semilinear set on constants from Si U Si. 
Using the second paid of Theorem 18, we construct a constant-only A CUD automaton A p.q.s.t on 
signature Si U {+, —, 0}, with a final state F Pj q,s,t such that A^p^^p/ACUID)) = C' P s Fl C'q t . 
We assume that automata A/rry.S'.r’s are built from mutually disjoint sets of (fresh) states. 

The required automaton Ainter has the following clauses : 

- for each P,Q G P and each S,T C S 2, the extended epsilon clause (P. Q){x) <D Pp.q.s.t( x ) 
A Ah^eSLrr^! R')( x R,R')- 

- clauses of A P) Q,s,T eq for each P,Qg P and each S,T C S 2 . 

- for each base clause S(ap/ p») in some A P) q,s,t* the clause R{x ) <^= (R\ R"){x). 

- for each pair of clauses 


p(f(x 1, • • • ,x n )) 4= Pi(xi) A ... A P n (x n ) 

Q(f ( X 1 > • • ■ > x n) ) d= Ql(xi) A ... A Qn( x n) 

in A free the clause 

(P,Q)(f(x 1, . . .,x n )) 4 = (Pi,Qi)(xi) A ... A (Pn,Qn)(x n ) 


Lemma 37 If P(t') and Q(t") are derivable in ^l/ACUD and f =acum t", then for some t =a€UM 
t 1 , (P, Q)(t) is derivable in ^lj nter /ACUD. 

Proof: We do induction on the sum of the sizes of the derivations n\ and P 2 of P(t') and Q(t") 
respectively. Since f =acum t" we must have 


t' — A€U s 'l E ■ ■ ■ Y s'm — t'l — ■ ■ ■ — t'n + (u\ — u'[) + . . . + ( v! p — u ”) (8.18) 

t" =A€U s l + • • • + s m — t'[ — . . . — t'n + {v'l — v'l) + . . . + ( v' q — Vg) (8-19) 

such that m,n,p,q > 0, s ■, s'[ ai - e functional and s\ =acum s'- for i < i < m, t' p t" ai - e 
functional and t\ =acum t” for i < i < n, u' t . u” ai - e functional and u[ =acum u” for 1 < i < p. 
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and v\,v'l arc functional and v\ =acum v 'l for 1 < i < q. tt\ and H 2 have functional supports 
of the form Pi (si),..., P m («m), ■ ■ ■, A(«i), 4 K')> • • •, I P {^ P ),I' P {^) and Qi(s'/), 

• ■ ■, <3m(Sm). , <X(C)> fiK). 4K)> • • •, 4K)> 4K) respectively such that tti and 

7T2 are of the form : 


Pi (si) ... P m (s'J ... P'(0 hW) /(«) ... /„(«;) />") , (8.20) 

. ' . = (A eo /ACUB) 

P(s x + • • • + s TO - A - • ■ • - + K - Wi) + • • • + (u - u )) 


Ql(s") ••• Qm{sl) ... Q'mit'n) J(«) ... J g «) 4(0 


P(4 


-4-...-C + K -0 + --- + K- 0 ) 


(yleq/ACUD) 


( 8 . 21 ) 


By definition of B, the atoms Pi{a PuQl ),..., Pm(ap m) Q m ), P[(a P ^ Q ^),..., Pt l (a P > i> Q> n ), h(b IuI (), 
I{(6/i//),..., Ip(br p jr j ), Ip(br p j> p ) are derivable in S/ACUB. Also A eq C B. Hence from (8.20) and 
Lemma23, P(a Pl)Ql + .. ■+a PrntQrn -a P ^Q > i . ■-a P ^Q> n + (b IljI ' i -b Il j> i ) + .. - + (b Ip j^-b Ip jT)) 
is derivable in 0/ACUB. Similarly Q(a Pl)Ql + ... + a PrntQm - a P / ;Q / - ... - a P ^ Q < n + - 

0,J() + • • • + (■ bj q ,j' q ~ b jqt j /)) is derivable in Z3/ACUB. Let 5 = {Od(> ■ • • > h i P ,i' v ] and T = 

{0,J(> • • • > We have a Plt Q 1 + ... + ap rn ,Q rn - a P[,Q' l - • • • - ap^,Q' n + (Od( “ + 

• • • + OppJ’p ~ Odp) G £p,s and a PltQl + ... + ap m ,Q rn - ap{,Q; - ... - a P ^Q> n £ F' PS . Similarly 
a A,Qi + • • • + ap m ,Q m - a p[,Q ' - ••• - a P' n ,Q' n € £'q,t- Hence Fp,Q,s,T{ap 1 ,Q 1 + • • • + a PrniQrn - 
aP[.Q\ ~ • • • — ap n’Q'v) ' s dei 'ivable in A p,q,s.t /AGUE). This derivation 7r3 must have functional 
support of the form Pi(a Pl>Ql ),..., R m (ap m ,Q m ), Pifaj* g /),..., R' n (<-iP' n ,Q' n ) and we must have 


p.3 = ••• R ^( a Pm,QJ R'l («p;,Q() ••• (A rq /ACUD) ( 8 - 22 ) 

Fp,Q,S,T(a P i,Qi + • ■ • + op m ,g m - ap',g' - ... - a P ^,Q' n ) 

Since P*(s() and Qi(s") arc in the functional supports of 7Ti and 7T2 respectively, we have s' = 
/;(s'\ • • •, and s" = Ms" 1 ,..., s" ki ) for some free f, of arity k t such that sf =acum s" j , 
the derivation of P*(s() uses Pi(fi(x \,..., x Pi )) <= P}{x i) A ... A P kl (x Pi ) as the last clause, the 
derivation of Qi{s") uses Qi(fi(x\,... ,Xk { )) <= Qj(x i) A ... A Q 'M x ki ) as the last clause, and for 
1 < j < M the atoms P-(s'?) and Q J t (s’ 3 ') arc derivable in A/ACUB. By induction hypothesis, 
we have s{ =acum sf so that (Pj,Q^-)(sj) is derivable in Al/ACUB. Let s, = fi(sj,..., s ki ). 
( Pi,Qi)(si ) is derivable in^/ACUB using the clause (Pi,Qi)(fi(x\,...,x Xi )) <= (P- ,Q\)(x\) A 
... A (P ki ,Q ki )(x ki ). Since the clause R t (a Pt ,Q,) £ AP, Q hence the clause Ri(x) <= (Pi, Qi)(x) G 
A. Hence for 1 < i < m, Ri(si) is derivable in Ainter/ACUB and S{ =acum s'. Similarly for 
1 < i < n we have term A such that P'(f') is derivable in A m t e r/ACUB and t t =acum t(- Also 
A P ,Q eq c Winter- Hence from (8.22) and Lemma 23, F P)Q)S ,t(si + ... + s m - ti - ... - t n ) is 
derivable in Alj n ter/^CUB. Let the required f be si + ... + s m — t\ — ... — t n . Also by induction 
hypothesis we must have uj =acum u'j, v k =acum v’ k such that (Ij, Ij)(uj) and ( Jk,J' k )( v k) are 
derivable in A ir) ier/ACUB for 1 < j < p and 1 < k < q. Then we have the following derivation of 
(P, Q)(t) in Ainter /ACU 
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Fp,Q,s,T(t) iMU)K) (C/ACUD) 

(P,Q)(t) 

where C is the clause (P , Q)(x) A= Fp,q,s,t(x) A /\ 6 H , e suT(P> P')( X R,R')- Also it is clear that 
t =ACUM t' . □ 

Lemma 38 For P,Q G P, if (P,Q)(t) is derivable in Ainter /ACUO then for some t' =acum 
t" =acum t, P(t') and Q(t") are derivable in A/ACUO. 

Proof: We do induction on the size of the derivation it of (P. Q)(t) in Al m t er /ACUD. From exami¬ 
nation of the clauses in Ainter, 77 must use a clause 

c = (P, Q)(x) 4 = Fp,q,s,t(x) a f\ (R, R')(x r , r/ ) 

^r,r'4SuT 

as the last clause, for some S,T C S' 2 . Hence Fp.q.s.t(I) is derivable in A,; n t f:r /ACUB with a 
derivation tt\ which is strictly smaller than ir. Also we have terms t RjR > for each b RR t in S IJ T. such 
that (R , R')(trur ) is derivable in Writer/ACUD with a derivation which is strictly smaller than tt. 
From induction hypothesis we get terms t' R R , =acum t R R , =acum t R .R' such that : 

R(t' R Rl ) and R'(t' R R ,) are derivable in A/ACUO, for each b R R i G S U T. (*) 

Again from examination of the clauses in Ainter, M must have a functional support of the form 
(-Pi, Qi)(st), • • • , (Pm, Qm){s m )i (P{,Qi)(h), ■■■, (Ph, Q'n){tn) for some m,n > 0 such that t 
=A€UD Si + ... + s m - fi - ... - f n and 7Ti is of the form 


(Pi,Qi)(si) 

Ri(si) 


( PmiQm)( s m ) (P(,Ql)(H) 

• Rm(Sm) " 

Pp,Q,S,t( s 1 + ■ ■ ■ + s m —ti — ... — t n ) 


( P'ni Qn)(tn 


(Ap,Q,s,T eq / ACU) 

(8.23) 


where C' t = Ri(x) <= (Pi, Qi)(x) for 1 < i < m and C\ = R((x) 4= (P-, Q'/)(x) for 1 < i < n. 
Hence the clause Ri(ap it Q i ) G Ap t Q t s,T for 1 < % < m. Hence Ri(ap u Q i ) is derivable in 
Ap,q,s,t /ACUD for 1 < i < m. Similarly P((«p',Q') is derivable in Ap,g/ACUB for 1 < i < n. 
Also Ap,Q,s,T eq C Ainter • Hence using (8.23) and Lemma 23 Fp,Q,s,T(ap uQl + ... + a PrniQrn - 
a P[,Q' 1 -■■■- aPGQ'J is dei 'i vab l e in AIp,q,5,t/ACUB. So a PuQl + ... + a Pm ,Q m - a p ^ -...- 
a P^,Qn e P'ps- Therefore we must have b Il R ,..., bj p j> G S(p > 0) such that a Pli Q 1 + ... + 
a Pm,Qm - a P[ ,Q[ - ■ ■ ■ - a PUQ' n + ( b h,I[ ~ &/!,/() + • • • + ippj'n ~ b In,P n ) ^ C- P (B/ ACUD). 

For 1 < i < m, since s, is functional, hence there is a free /, of arity ki, and terms si,..., s ki such 
that Si = fi(sj,..., s ki ). Since (P l: Qi)(si) is in the functional support of tt\, it uses as last clause a 
clause of the form (P l , Qi)(fi(x i,..., x ki )) 4= (P/, Q})( x i) A.. .A (P ki ,Q ki )(x ki ) corresponding to 
clauses P* (fi (zi,..., x ki )) 4= P} (a^)A... AP ki (x ki ) and Qi(fi(xi ,..., x ki )) 4= Q] ( Xl ) A...A Q k d ( 


x ki ) of A free so that (P/, Qj)(’ s j) is derivable in A U) i f:r /AOLJB using a derivation strictly smaller 
than 7 n. By induction hypothesis, we have s'/ =acum s” 3 =acum sj such that P/ (s'/) and Q\(s'' J ) 
ai - e derivable in A/ACUB. Let -s' = fi(s'/,..., s[ ki ) and s" = fi(s'P,..., s ” ki ). For 1 < i < m 
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we have s[ =acub s* and Pj(s^) is derivable in ,4/ACUB using the clause P l (f l (xi,..., Xkff) <= 
Pf(x i) A ... A Pl' t (xk t ). Similarly for 1 < i < m we have s" =acub and Qi(t") is derivable 
in yl/ACUD. Similarly for 1 < i < n we have terms t\ =acub t" =acub U such that Pfiff) and 
Qi{t") are derivable in _4/ACUB. 

Now the derivation (call it tt 2 ) of P{a PuQl + ... + a Pm:Qm - a P >/ )Q ' - ... - <ip> n ,Q> n + - 

bj^ j,) + ... + {bj n j' : — bj n j>j) in 0/ACUD must have a functional support of the form Pj (cip^qJ, 

■ • • > Pm(ap m ,Q m )>Pi( a Pl,QO’ ■■■i p n ( a PCQ’Ji 4(&/!,/(); ■ ■ ■ > 4( b /p,^)> where 


for 1 < i < rri Pf G { P,. Q,}, and for 1 <i <n Pf G {-P/, Q'}, and for 1 < * < p ij, if G {A, /'}. 
We have 


( 4 ( a Pl,Ql) )l <i<m ( ^i T (ap',Q') )l<i<n ( 4( b L,F') 4(4,4 )l<*<P 


vr 2 = 


p ( E 


a Pi,Qi 


E 


l<i<m 


a P',Q' + 

l<i<n 


E 


(4 A “ 


(P e g/ACUD) 


(8.24) 


For 1 < i < p since b IiP G 5, by (*) A (A- „) and I'(t'r r ,) arc derivable in .4/ACUB and 
t'j j, =acum t"j ji■ Recall that for 1 < i < m, P^s'j) and Qi(s'f) arc derivable in yl/ACUO and 
for 1 < i < n, Pfit'i) and Q'^t") are derivable in ,4/ACUB. Also B eq = A eq . So from (8.24) and 
Lemma 21 P(s\ + ... + Sm~t\ — ... — 4 + (A 1 P — A 1 7 ,) + ... + (t\ n v — A n v )) is derivable in 
.A/ACUB, where for 1 < i < m we have sj G {s[, sf}, for 1 < i < n we have t\ G { tt'f} and for 
1 < i < p we have ij. pi A- p F {tf T ,,t" r ,}. Let the required t' be sj + ... + sin — 1\ — ... — tin + 

(4 1 p — Ai V ) + • • • + (A n P ~ A n p )• We ^ ave * =A€UM t' and P(t') is derivable in .4/ACUB. 
Similarly we can find t" such that t =acum t” and Q(t") is derivable in *4/ACUB. □ 


Theorem 24 One-way ACUM automata are effectively closed under intersection. 


Proof: Let Ai and pl 2 be two one-way automata whose intersection we want to compute. We as¬ 
sume without loss of generality that they arc built from disjoint sets of states Pi and P 2 respectively, 
and that their final states arc P and Q respectively. Define automaton A = A i U „4 2 on set of states 
P = Pi U P 2 . We compute automaton Ai n t er corresponding to the automaton A, as described in 
the above procedure. Ai n t er is not exactly a one-way automaton because of the presence of the ex¬ 
tended epsilon clauses. However from Lemma 20, we have a one-way automaton A’ inter such that 
Cq (A’ inter /ACUD) = C q (Ainter /ACTJD) for each State q of Anter- 

1 . First we show that £p(A/ACUM) H £q(A 2 /ACUM) C A(pQ)(^ nter /ACUM). Let s G 
£p(^li/ACUM) n £q(„4 2 /ACUM). From Lemma 19 we have terms t' =acum t" =acum s 
such that t' G £ P (A/ACUD) = Ap(^/ACUD) andt" G £q(A 2 /ACUD) = £q(^/ACUD). 
From Lemma 37 there is a t =acum f such that t G ApAAnter/ACUD) = C<pcy)(A’,„ te , r / 
ACUD) C C {P , Q) (A' inter / ACUM). Since s = AC um t we have s G £ ( p Q) (^' nter ,/ACUM). 

2. Next we show that A(p j Q)(^l' ntej ,/ACUM) C £p(^li/ACUM) n £q(^1 2 /ACUM). Let s G 
£(PQ)(Anter/ i ^^-'^^)- Since A' is a one-way automaton, by Lemma 19 there is a t =acum 
s such that t G -C(p,q) (v4^ nter /ACUD) = £(p,q )(Ainter /ACUM). By Lemma 38 we have 
t' =acum t" = acum 1 such that t' G Ap(^l/ACUD) = Ap(^li/ACUD) C Ap(Ai/ACUM) 
and t" G £q(^1/ACUD) = £q(„4 2 /ACUD) C. £q(^1 2 /ACUM). Since t =acum t' =acum 
t" hence t G £p(Ai/ACUM) and t G £q(^1 2 /ACUM). Hence t G £p(A/ACUM) FI 
£q(^ 2 /ACUM). 
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Hence by naming (P, Q ) as the final state of A' inter we have £(A/ACUM) = £(*4i/ACUM) n C( 
^4 2 /ACUM). □ 

8.5 Idempotence Axiom : ACILJI Automata 

In this section we show that one-way ACUI automata arc closed under intersection. In the ACUI 
case also we use techniques similar to the previous cases. 

Let A be a one-way ACUI automaton with predicates from P. Instead of computing intersections 
of pairs of states, we will need to compute intersections of all tuples of states. Hence we introduce 
new predicates S and S for every 0 / S C P. 

We introduce a set of new constants as for each 0 / S C P. Let B = A eq U {P(a s ) \ P e S}. 
From Theorem 16 £p(, 6 /ACU) is a semilinear set for every P. Define Cp = {n\a,s l + ... + rikas k \ 
some rri\as l + ... + mf.as k G £p(i3/ACU), 1 < n; < rrii}. This is a semilinear set. For every 
0 / S C P, Cs = Pipes Ap is a semilinear' set. By Theorem 16, we can construct a constant-only 
ACU automaton As with final state Fs such that £(As/ACU) = £ 5 . We assume that automata A.s’s 
are built from mutually disjoint sets of (fresh) states. 

The required automaton Ainter has the following clauses : 

- the clause S(x) <A Fs(x) for each 0 f S C P. 

- clauses of As eq f° r eac h 0 f S C P. 

- the clause R{x) <A S(x) for each clause R(as) in some As- 

- the clause 


S(f{x 1 ,... ,x n )) <= Si(xi),.. .,S n (x n ) 

for clauses 


P l {f{x l,...,X n )) 4= P{(x\)y. . . , P^(x n ) 

in Af ree for 1 < i < k, k > 1, where S = { P \ ..., P k } and Sj = {Pj ,..., P k }. 

The idea is that if say three atoms P(t'),Q(t"), R(t'") are derivable in A modulo ACU and 
t' =A€un t" =ACun f" then their functional support must be of the form F’ 1 1 (t / 1 1 ),..., Pf 1 
Pn (4 1 ), ■ ■■ ■■, p n n {t'n n ) and Q\(t'l 1 ),...,Qf (t'l qi ),...,Ql l (C 1 ),...,Q q n n (; t'n qn ) and R\ (t}" 1 ),...,i ?} 1 (t" ,ri 
- 5 - R n(C 1 )>- ! - R I n (C rn )’ such that Pi,qi,fi > 1 and tA = 


_ +'Pi _ 

—ACUI Cj —. 


J .//1 

h =ACUI 


t" qi =ACUI t" n =ACUI ••• =ACUI t'" ri for 1 < i < n, so we can contract the terms to get 


t'i + ... + A, F } 1 + ... + t'n and t 


i n + ••• + C 1 - Then in A eq we can derive P{pias 1 + ... +p n a-S n ), 

R?}- 


Q{qia Sl +...+q n a Sn ) and R(na Sl +...+r n a Sn ) where Sj = {Pj ,..., Pj j , Q ),..., Qj , R ),..- ^ 
Then as 1 + ... + as n is in £/. n Cq n Cr. In this way the as ’s ai'e used to account for the contractions 
using equation L 


Lemma 39 7fP 1 (t 1 ),... , P N (t N ) are derivable in A /ACU/or some N > 1, and t 1 =acui • • • =acui 
t N then for some t. =acui i 1 . {-FA •••) pN }(t) is derivable in v4 m j er /ACU 

Proof: We do induction on the maximum of the sizes of the derivations of P 1 (f 1 ),..., P N (t N ) in 
A /ACU. To avoid heavy notation we consider the case N = 2 : the arguments easily generalize for 
arbitrary N. So we assume that Pit') and Q(t") are derivable in A/MTU and t' =acui t"■ We need 
to show that {P. Q}(t) is derivable in „4j nter /ACU for some t =acui t'. Since t' =acui t" we have 


t —ACU + . . . + tf 1 + • • • + t'n + . . . + tf‘ 
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t" =ACU t'l + • • • + t" Q1 + . . . + C + • • • + C” 

where n > 0, for 1 < i < n we have Pi,qi > 1 and for 1 < j < Pi, 1 < f < qi t' 3 and t’’ J 
are functional and t[ j =acuii t" 3 ■ (In particular, t' 3 =acui if for 1 < j < pi, 1 < f < pi and 
t” 3 =acui t" 3 for 1 < j < qi, 1 < f < qi .) 

The derivation tt] ol' P(t') has a functional support of the form P, 1 (f f),..., Pf 1 (t'f 1 P 3 {t ' 3 ), 
..., Pn n ( t'n n ) and we have 


*i = pm) ••• pf'it* 1 ) ... ijto ... p,r(e) 

P(if +... + t'f 1 +... + 1' 3 +... + t% n ) 


(Aeg/ ACU) 


(8.25) 


The derivation 7 r 2 of Q(t") has a functional support of the form Q\(t " 3 ),..., Q qi ..., 

Ql{t" 3 ),Q q n{t'h qn ) and we have 


*2 = Q\{t'l 3 ) ... Qf(0 ... ••• QniC qn ) 


(^eq/ACU) 


(8.26) 


AKi '/ 1 + ... + ff 71 + ... + c + ... + C n ) 

For 1 < i < n define Si = {Pf,..., Pf% Q|,..., Qf }. For 1 < i < n, 1 < j < p,;, P/(asJ is 
derivable in yl/ACU. From (8.25) and Lemma 21 P(p\as 1 +... +PnOs„) is derivable in B. Similarly 
Q{qio-Si + - ■ ■ T QnPSn ) i s derivable in B. Hence as 1 + ■ ■ ■ + as n belongs to CpOCq. Let S = {P, Q}. 
Fs(a-s 1 + • • • + as n ) is derivable in As- 

For 1 < i < n, 1 < j < p n since t' 3 is functional and t' 3 =acui if for 1 < k < p n hence we have 
some free /* of arity ki and terms t' 3 lt ..., t' 3 k . such that t' 3 = fi{t ’ 3 l: ..., t' 3 k ). For 1 < i < n, 1 < 
j < q n since t" ] =acui if we have terms t "\,..., t" 3 k . such that t' 3 k =acui t " 3 k . for 1 < k < ki and 
t" 3 = fiit " 3 !,..., iff). For 1 < * < n. 1 < j < p n , since P/(if) is in the functional support of tt\ 
we have a clause P/(/i(xi,..., x ki )) < 1 = P/ 1 (xi) A ... A P 3 k .(x ki ) G -4/ ree such that for 1 < k < ki 
the atom P 3 k {t ' 3 k ) is derivable in A/ACU using a derivation strictly smaller than that of tt\. Similarly 
for 1 < i < n, 1 < j < q n , we have a clause Q j i (f i (x 1 ,... ,x ki )) 4= Qj ^xi) A ... A Q j i k .(x ki ) such 
that for 1 < /c < k, the atom Q 3 k (t >3 k ) is derivable in aI/AOLJ using a derivation strictly smaller than 
that of tt-). By induction hypothesis for 1 < i < n, 1 < k < ki, there is some t t p =acui if/,, such that 
Si, k (ti, k ) is derivable in v4 inter /ACU, where S ijk = {P 3 k ,..., P[ l k , Q\ k ,..., Qf k }- For 1 < i < n, 
Ainter hns the clause Si(fi(xi,... ,x ki )) 4= < 5^1 (xi) A ... A S{ ki (x k .). Let A — /i(ii,i> • • • Ai,ki)- 
Then Si(t t ) is derivable in Ainter/ ACU. 

The derivation (call it ^ 3 ) of Fs(as 1 + ... + as,,) in A,s/ACU has a functional support of the 
form Pi (agj),..., R n (as n ) and we have 


Pi(a5i) ... R n (a Sn ) /A ^ wn 

= = = (^Seg/ACU) 

Fs(asi + • • • + as n ) 


(8.27) 


For 1 < % < n since the clause Ri(aSi) G A 5 hence the clause R,(x) -4= Si(x) G Ainter ■ Since 
S'j(A) is derivable in Ainter/ ACU hence P*(A) is derivable in „4,j nter /ACU. Since As eq A from 
(8.27) and Lemma 21 Fs(£i + ... + f n ) is derivable in ^lj nter /ACU. Hence using the clause S{x) 4= 
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Fs(x ) we get a derivation of S(t \ + ... + t n ) in Ainter/ MX. Let the required t = t\ + ... + t n . 
Then it is easy to see that t =acui t'. □ 

Lemma 40 If{P l ,..., P N }(t ) is derivable in Ainter / ACU for some N > 1 then for some t' =ACun 
t, P l {t') is derivable in A/MIX. 

Proof: We do induction on the size of the derivation of {P 1 ,..., P N }(t). As in the proof of Lemma 39 
we only consider the case N = 2, and the arguments easily generalize for arbitrary N. So let 
S = {P, Q} and 5(f) be derivable in Ai n t er /MX where 5 = {P, Q}. Since S{x) 5= Fs(x) is 
the only clause with the predicate 5 in the head, hence the derivation it of 5(f) must use the clause 
S(x) -4= Fs(x) as the last clause. Also Fs(t) is derivable in Ainter/MX using a derivation tt\ which 
is strictly smaller than it. Again from examination of the clauses in Ai n t er , 7Q has a functional support 
of the form 5i(fi),..., S n (t n ) and we have 


TTl 


5t(ft) _ 

^ 7-4 (Ri(x) <= Si(x)) 

Hifi) 


P(t\ + . . . + tn) 



R n (t r 


(Rn(x) <= S n (x)) 
(AseJ ACU) 


(8.28) 


Hence for 1 < i < n the clause Rfa.s,) £ As- Hence Rfas,) is derivable in Ag/ACU for 
1 < i < n. Using (8.28) and Lemma 21, Fs AS\ + • • - + «s n ) is derivable in As/ACU. So as 1 + ■ ■ .+ 
as n £ Tp. Then there must be some pi ,... ,p n > 1 such thatpias 1 +.. .+p n « 5 „ £ £p(B eq /ACU). 

For 1 < i < n, since fj is functional we have some free f % of arity k t and terms f^i,... ,ti,k t 
such that fj = f(ti : i,..., ti ki)- Since Sj(t,) is in the functional support of tt\ hence there is a clause 
Si(fi(x i,... ,x ki )) 4= S it i(xi) A ... A S iiki (x ki ) such that for 1 < fc < k % the atom S ijk (ti , k ) is 
derivable in Ainter /ACU using a derivation strictly smaller than it. By induction hypothesis, for each 
P' £ S,j. there is some u =acui U,k suc h that P'{u ) is derivable in A/ACU. Also by construction 
of Ainter for each P' £ S, there must be some clause Pfffx i, ...,x ki )) 4= P{(x i) A ... A P' k .{x ki ) 
in A such that P' k £ S r j.. Hence 

for each P' £ 5, there is some u =acuii U suc h that P'(u) is derivable in A/ACU (*) 
Now the derivation (call it 112 ) of P{p\as 1 + ■ ■ ■ + Vn (, s tl ) in B eq /MX has a functional support of 
the form P/(a s J,..., Pf 1 (a Sl ), ■■■, P/{a Sn ), • • •, Pn n (a Sri ) such that for 1 < i < n,l < j < p u 
P/ £ Si, and we have 


'2 = ) ••• Pf'M ... ... PfM (8.29) 

-W-t- \Peq) 

P{Pias 1 + • • ■+p n as n ) 

From (*) for 1 < i < n,l < j < pi we have term tj =acui U such that P/(t\) is derivable in 
A/ACU. Let the require f = t J + ... + f^ 1 + ... + t\ + ... + fn". We know that A eq = B eq . Hence 
from (*) and Lemma 21 P(t') is derivable in A/ACU. Also it is clear that t' =acuii t. □ 

Theorem 25 One-way ACUI automata are effectively closed under intersection. 

Proof: Let Ai and A 2 be two one-way automata whose intersection we want to compute. We assume 
without loss of generality that they arc built from disjoint sets of states Pi and P 2 respectively, and 
that their final states arc P and 0 respectively. Define automaton A = Ai U A 2 on set of states 
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P = Pi U P 2 . We compute automaton Ainter corresponding to the automaton A, as described in the 
above procedure. Ai n t er is a one-way automaton. 

1. First we show that £p(„4,i/ACUI) n £q(» 42 /ACUI) C C^q}(A inter/ ACUI). Let s G 
£p(Ai/ACUI) n £ Q (A 2 /ACW). From Lemma 19 we have terms t' =acuh t" =A€un s such 
that t' G £p(Ai/ACU) = C P (A/ ACU) and t" G £q(„4 2 /ACU) = Cq(A/A8X). From 
Lemma 39 there is a t =acui f such that t G £{pm(-4j n t er /ACU) C £{pm (v4j n t er /ACUI). 
Since s =acui t we have s G £{p,Q}(Anter/ACUI). 

2. Next we show that £{p,Q}(v4j n t er /ACUI) C £p(Ai/ACUI) FI >Cq(^. 2 /ACUI). Let s G 
A{p,q| (Ainter /ACUI). By Lemma 19 there is a f =acui s such that t G £ip t Q\ (Ainter/A CU). 
By Lemma 40 we have t' =acui t" =acui t such that t' G £p(A/ACU) = £p(*4.i/ACU) C 
£p(Ai/ACUI) and t" G £q(^/ACU) = £q(A 2 /ACU) C £q(A 2 /ACUI). Since t = A cun 
t' =acui t" hence t G £p(-4.i/ACUI) and t G jCq(^4 2 /ACUI). Hence t G £p(.Ai/ACUI) Fl 
£q(^ 2 /ACUI). 

Hence by naming {P, Q} as the final state of Ainter we have £( Ainter / ACUI) = £(Ai/ACUI) C\£( 
„4 2 /ACUI). □ 

8.6 Conclusion 

We have shown that modulo all the AC theories we deal with (AC, ACU, ACUX, ACUX n , 
ACUM, ACUI), the one-way tree automata arc closed under intersection. This result however does 
not generalize to arbitrary equational theories since we seen in Chapter 4 that one-way A tree auto¬ 
mata arc not closed under intersection. We have already shown in Chapter 7 that emptiness of one-way 
equational tree automata is also decidable. As a result intersection-emptiness of these one-way equa¬ 
tional tree automata is decidable, which is the important question from the point of view of verification 
of cryptographic protocols. We emphasize that these results also imply decidability of membership be¬ 
cause checking whether t G £(AfE) is equivalent to checking whether £({£}) Cl £(AfE). The latter 
problem reduces to the problem of intersection-emptiness because £({f}) is accepted by a one-way 
E tree automaton by Lemma 19. 



Chapitre 9 

Complementation des automates 
equationnels unidirectionnels 
(Complementation of One-Way 
Equational Tree Automata) 


Dans ce chapitre nous etudions la cloture pas complementaire des automates d’arbres equation¬ 
nels unidirectionnels. Nous avons vu que les automates d’arbres unidirectionnels modulo toutes les 
theories associatives commutatives que nous considerons sont clos par intersection. Mais la situation 
est tres differente dans le cas du complementaire. Nous verrons alors que les automates unidirection¬ 
nels modulo les theories AC, ACU et AOLJD sont clos par complementaire, ceux modulo les theories 
ACUX, ACUX n , ACUM et ACUI ne le sont pas. En ce sens ces automates d’arbres equationnels se 
comportent differe mm ent des automates d’arbres non equationnels, qui sont clos par complementaire. 
De meme un comportement interessant visible dans ces resultats est la coincidence entre la cloture par 
complementaire des automates equationnels unidirectionnels et la linearite de la theorie equationnelle 
consideree. Ceci peut nous faire conjecturer que les automates unidirectionnels modulo E sont clos 
par complementation ssi E est lineaire. Mais ceci est faux, parce que la theorie A est lineaire, et nous 
avons vu au chapitre 4 que les automates unidirectionnels modulo A ne sont clos ni par intersection 
ni par complementaire. Notons que parmi les proprietes de cloture, la cloture par complementaire est 
souvent la plus difficile a etablir. Nous avons done reussi a repondre a cette question pour les auto¬ 
mates unidirectionnels modulo toutes les theories associatives commutatives que nous considerons. 
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In this chapter we study the closure under complementation of the one-way equational tree auto¬ 
mata. We have seen that the one-way tree automata modulo all the associative commutative theories 
that we arc considering arc closed under intersection. However the situation is very different in the case 
of complementation. We will see that while the one-way tree automata modulo the theories AC, ACU 
and A CUD arc closed under complementation, those modulo the theories ACUX, AOJX n , ACUM, 
AOLJI arc not. In this respect these equational tree automata behave differently from non-equational 
tree automata which arc closed under complementation. Also an interesting pattern visible in these 
results is the coincidence between the closure under complementation of the one-way equational tree 
automata and the lineality of the equational theory considered. This might lead us to conjecture that 
one-way IE tree automata arc closed under complementation iff IE is linear. This is however false, 
since the theory A is linear however we have seen in Chapter 4 that that one-way A tree automata arc 
not closed under intersection, nor under complementation. Note that among the closure properties, 
closure under complementation arc often the most difficult to be established. In this respect, we have 
succeeded in answering this question for the one-way automata modulo all the AC-like theories we 
arc dealing with. 

9.1 Complementation of ACU Automata 

We show in this section that one-way ACU automata arc closed under complementation. 

Let A be a one-way ACU automaton with predicates from some finite set P. We introduce new 
predicate symbols S and S for each S C P and constants as for each S CP, We intend S to accept 
terms accepted at all the predicates in S but nowhere else. S is intended to accept the functional terms 
accepted at S. 

Define automaton B = A eq U {.P(as) | P £ S'}. From Theorem 16, Cp(B/ ACU) is a semilinear 
set for every P £ P. Given S C P, define C s = Pipes £p(#/MPLJ) \ UpeP\S £p(#/MEU). This is 
a semilinear set. By Theorem 16, we can construct a constant-only automaton As with final state Fs 
such that £(As/ACU) = II s . We assume that automata As’s arc built from mutually disjoint sets of 
fresh states. 

Define automaton A t to consist of the following clauses : 

1. for each S C P the clause S(x) <t= Fs(x). 

2. clauses of As eq f° r S C P. 

3. for each clause R(as) in some As, the clause R(x ) <1= S(x). 

4. for each free function symbol / of arity n, and each ,5j ,..., S n CP, the clause 

S(f(x i,.. .,!„)) <= Si(xi) A ... A S n (x n ) 


where 


S = {P | 3-Pi £ Si • 3 ... 3 P n £ S n ■ P{f{x i,.. .,x n )) <= Pi(si) A ... A P n (x n ) £ Af ree } 

This construction plays the role of the usual determinization procedure in standard tree automata. 
Note that it is however more complex because of the ACU symbol. The idea in defining A eq and As’s 
is to compute all possible derivations using the clauses of the equational part. The constant a s acts as 
‘place marker’ for the terms accepted at S for S C P. This is made precise in the following lemma : 

Lemma 41 For any S C P and any term t, S(t) is derivable in AJ/ACU iff S = {P £ P | 
P(t) is derivable in A/ACU}. 
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Proof: We do induction on the size of t. Let t =acu ti + ... + t n (n > 0) such that for 1 < i < n, 
ti = fi(t \, • • • and fi is free. Let 5 = {P G P | P(t) is derivable in A/ACU}. First we show 
that (a) 5(f) is derivable in /MTU ; then we show that (b) if S'(t) is derivable in A/' /MTU for 
some 5'CP then S' = S. This will complete our proof. 

Proof of (a) : For 1 < i < n, 1 < j < ki let Sj = {Q \ Q(tf) is derivable in A/ACU}. 
By induction hypothesis Sj (tf) is derivable in /MTU. For 1 < z < n let S t = {() \ 3Q 1 E 
Sj ■ 3...3Q ki G Sf • Q{fi(x u ...,x ki )) 4= Q 1 (x i ) A ... A Q ki (x ki ) G A free }. The clause 
Si(fi(x i,..., x ki )) -4= Sj(x\) A ... A Sf'fx^f) G A* 1 . So the atom 5j( U) is derivable in A ^/ACU for 
1 < i < n. 

For each P G 5, the derivation (call it irp) of P(t) has a functional support of the form Q[ (t\), 
..., Qn (f n ), and we have 


n P = Qi(tl) ••• Qn(t n ) 

P(tl + • • • + t n ) 


(A e q / ACU) 


(9.1) 


For P G 5,1 < i < n, since Qf (ti) is in the functional support of np, it has a derivation 
which uses the clause Qf (fi(x i,..., Xkf)) 4= Qi ^(^l) A ... A Qp l (xkf) as the last clause, and for 
1 < j < ki, the atom Qf^(tf) is derivable in Al/ACU. For P G 5,1 < i < n, 1 < j < ki, by 
definition of Sj, Qf' 3 G Sj. For P G 5,1 < i < n, by definition of S t , Qf G .S',;. Hence the atom 
Qf (as t ) is derivable in U/AOLJ. Also by definition B eq = A eq ■ From (9.1) and Lemma 21, 

P(as 1 + ... + as n ) is derivable in £>/ACU for each P G 5 (*) 

We also claim that 

if P G P \ 5 then a Sl + ... + a Sn $ C P (B/. ACU) (**) 

This is so because if P G P \ 5 and a a, + • • • + «s„ G Lp{B/ ACU), then the corresponding derivation 
(call it 7 r') of P(as 1 + ... + as n ) would have a functional support of the form Qi(ag 1 ),..., Q n (as n ) 
where Q, G .S', for 1 < i < n. We would have 


= QiM ... Qnta sJ (B/AC0) ( 9 . 2 ) 

P( a Sl + • • • + as n ) 

For 1 < i < n, since Q, G 5, by construction of S t , Qi(U) would be derivable in A!MTU. 
Also by definition B eq = A eq ■ Hence by (9.2) and Lemma 21, P(t\ + ... + t n ) would be derivable in 
A /ACU. Hence we would have a derivation of P(t) in A /ACU which would contradict the definition 
of 5. Hence claim (**) holds. 

Combining (*) and (**), as 1 + ... + as n G C s . The derivation (call it 7 r) of Fs(as 1 + ... + as n ) 
in As/MTU has a functional support of the form II \ (as, ),..., R n (as n ), and we have 


t r = ^i(asi) ••• Rn(as n ) 
Fs(a Sl + • • • + a Sn ) 


(A Se J ACU) 


(9.3) 


For 1 < i < n, since the clause Ri(asf) G As, hence the clause Rfx) <= Si(x ) G A^. Also 
we know that 5j(fj) is derivable in AS/MAU. Hence Rj(tj) is derivable in AS/MAU for 1 < i < n. 
By construction As eq A Af- :q . By (9.3) and Lemma 21, Fs(t\ + ... + t n ) is derivable in A' /ACU. 
Finally we use the clause S(x) 4= Fs(x) to get a derivation of S(t\ + ... + t n ), i.e. of S(t) in 
yf(/ACU. This proves (a). 
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Proof of (b) : Now suppose S' C P such that S'(t) is derivable in A^ /ACU. We need to show 
that S' = S. S'(x) -4= Fs'(x) is the only clause which has the predicate S' in the head. Hence the 
derivation n\ of S'(t) uses the clause S'(x) -4= Fg'(x) as the last clause, and the atom Fs'(t) is 
derivable in A' /ACU using a derivation n 2 which is strictly smaller than 7Ti. Again from examination 
of the clauses in A\ n 2 has a functional support of the form S[(ti ),..., S' n (t n ) and we have 


vr 2 


s'ffh) — 

= ^— (R'Ax) ^S'(x)) 
R'ffh) V U lV 


R n {t n ) 


Fs’(t 1 + ... + t n ) 


{R' n {x) <= S' n (x)) 
(As'eg/ ACU) 


(9.4) 


Hence for 1 < i < n, the clause R' t (agi) e As>- Hence the atom Rffagi) is derivable in 
As 1 /ACU. By (9.4) and Lemma 21, Fs>(as> +- ■ .+as' n ) is derivable in As> /ACU. For 1 < i < n the 

derivation of S'^U) in ^((/ACU uses a clause S[{fi{x 1 ,..., x^)) -4= A ... A € A^ 

as the last clause, and for 1 < 3 <k i, the atom Sf (tj) is derivable in A^ /ACU. By induction hypo¬ 
thesis .S'/ = 5/. By definition of AS S'- = Si. Hence as 1 + ... + us„ G €$>• We have already seen 
that asj + ... + as n € C s . Since the £ s, s arc mutually disjoint by construction, so S' = S. This 
proves (b). □ 

As a consequence we obtain : 


Theorem 26 One-way ACU automata are effectively closed under complementation. 

Proof: Let A be a one-way ACU automaton with predicates from P and with final state F. Define 
automaton A^ as above. Then pick a fresh predicate F^ and add to AL the clauses F >[ (x) x= S(x) for 
every S C P such that F (ji S. Call this new automaton AkZ Then by Lemma 41, 

t G jC^tG'^V-M-'U) iff for some S C P, F ^ S and t G Cg{A^ /ACU) 

iff F £ {P G P | t G £p(Al/ACU)} (by Lemma 41) 

iff t £p(Al/ACU) 

We let F ' be the final state of A*. Then A^/ACU accepts the complement of the language accep¬ 
ted by A/ ACU. □ 

The idea of using constants as abstractions for the functional terms accepted at certain states, and 
the correspondence between constant-only ACU automata and Presburger definability, have also been 
used in Chapter 8 to show closure under intersection of one-way equational tree automata automata 
for a certain number of theories. This may give the impression that the arguments for closure under 
complementation arc similar to the ones for intersection. While there arc indeed some common ideas, 
it is actually surprising that while similar ideas work for showing closure under intersection of the 
one-way automata modulo all theories under consideration, they don’t work for showing closure under 
complementation of the one-way automata modulo the theories ACUX, ACUX n , ACUM and ACUI. 
We show later in this chapter that the latter arc not closed under complementation. Unlike in the case 
of intersection, our results show a strong correlation between closure under complementation of one¬ 
way equational tree automata and the lineality of the equational theory involved, at least as far as the 
theories dealt with in this thesis arc concerned. 



9.2. COUNTER-EXAMPLE FOR ACUX AND ACUX N AUTOMATA 


125 


9.1.1 Complementation of AC Automata 

As in the case of intersection, we state the same result for AC case without repeating the proof : 

Theorem 27 One-way AC automata are effectively closed under complementation. 

9.2 Counter-Example for ACUX and ACUX„ Automata 

Contrary to the ACU case, one-way ACUX automata are not closed under complementation, as 
we show in this section. The result generalizes to the AOLJX„ case for n > 2, i.e. we can show that 
one-way ACUX n automata arc not closed under complementation for any n > 2. (We get the ACUX 
case by making n = 2.) To show this fix some n > 2. Let our signature be X = {+, 0, a, /} where a 
is a constant and / is a free unary symbol. Define languages C\ = ACUX n ({/ Al (a) + ... + f kn (a) \ 
ki, ■ ■ ■, k n > 0}) and £2 = ACUX ra ({0}). 

Then C\\C, 2 = ACUX n ({/ fcl (a) + .. . + f kn (a) \ k\,... ,k n >0 and for some 1 < i,j < n,i 
j and ki A Ay }. C\ and £2 are clearly accepted by one-way ACUX n automata. However C\ \ £2 is 
not: 

Lemma 42 The language £ = ACU X n ({/ fcl (a) + ... + f kn (a) | Ay,..., k n >0 and for some 1 < 
i, j < n,i A J and ki kj}) is not accepted by any one-way ACUX n automaton. 

Proof: Assume on the contrary that there is a one-way automaton A with final state P such that 
£(A/ACUX n ) = £. Let P be the set of predicates in A. For each p > 0 define S p = {Q G P | 
Q{f p {a)) is derivable in A/ACUX„}. Since P is finite, it has finitely many subsets. Hence there arc 
p, q G N such that p q and S p = S q . Since p q, the term f p (a) + f q (a) + ... + f q (a ) G £. 

S -v- y 

n— 1 times 

From Lemma 19, we have some t =ACUX n f p {a) + f q {a) + ... + f q (a) such that P(t) is derivable 

'- . ---' 

n—1 times 

in A/ACU. We have terms t t for 1 < i < n and terms uj for 1 < i < k, 1 < j < n for some k > 0 
such that 

1. t\ is functional and t\ =acux„ f p {a) 

2 . for 2 < i < n,ti is functional and t t =acux„ f q {a) 

3. for 1 < i < k, 1 < j < n, uj is functional and for 1 < j' < n, u{ =acux„ u{ 

4- t =acu H + I 2 + • • • + tn + u\ + ... + u” + • • • + Ufc + ... + 

The derivation 7 r of P(t) has a functional support of the form /1 (A 1 )• AfA)- • • • ■ A (A), l\ ( u \ )■ 
..., AK),..., /fcK), • • •, 4 n K), and we have 


n = h(ti) ut 2 ) ... 4(A) A 1 ^) ... AW) ... ifc(4) 


4 n W) 


m 


(A eq /hCU) 


(9.5) 


We have 4 G S p and 4,.... 4 F S q . However S p = S q , hence 4, • • •, 4 £ S p . Thus 4(/ p ( a ))j 

4 (/ p (a)),..., I n (f p (a )) are derivable in A/ACUX n . From (9.5) and Lemma 21, P(f p (a ) + ... + f p (a ) 

v - v ---' 

n times 
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-Fa{ + ...+«”+.. .+u\+.. -+u^) is derivable in Al/ACUX„. Hence P( 0) is derivable in Al/ACUX n 
leading to contradiction. □ 

Since one-way ACUX n automata arc closed under intersection, and since C\ \ £2 = C\ D C(£ 2 ) 
where C(£') denotes the complement of language CJ, we conclude : 

Theorem 28 One-way ACUX n automata are not closed under complementation for any n > 2. In 
particular one-way ACUX automata are not closed under complementation. 

We remark that the situation is different for the theory ACUX n when n = 1. In this case the axiom 
x = 0 means that every term is equal to 0. Trivially the automata are closed under intersection and 
complementation. This however is clearly not an interesting case. 

9.3 Complementation of ACUIED Automata 

In the ACUB case the situation is similar to the ACU case : the automata arc closed under com¬ 
plementation. 

Fix a signature X containing at least the symbols +, — and 0. Let A be a one-way ACUB au¬ 
tomaton on signature X and with predicates from P. We introduce fresh predicate symbols S and 5 
for each S C P, and sets A = {as | S C P} and A = {as | S C P} of fresh constants. Define 
automaton B = A eq U { P(as) \ P £ S}. B is an automaton on the signature A U {+, —, 0}. From 
Theorem 18, for each P, £p(£>/ACUB) is a semilinear set on constants from A U A. Given SC P, 
define C s = P|p g>s £p(H/ACUB) \ Upep\s £p(*6/ACUB). This is a se mi linear set on constants 
from A U A. Using Theorem 18 we compute a constant-only ACUB automaton As using constants 
from A and with final state Fs such that £(Als/ACUB) = C s . We assume that the automata As’s 
arc all built from mutually disjoint sets of fresh predicates. 

Define automaton A^ to consist of the following clauses : 

1. for each S C P the clause S(x) -4= Fs(x). 

2. clauses of As eq f° r 5 C P. 

3. for each clause R(as) in some As, the clause R(x) A= S(x). 

4. for each free functional symbol / of arity n, and each ,5j,..., ,Sj, C P, the clause 

S(f(x 1 ,... ,x n )) <= Si(xi) A ... A S n (x n ) 

where 


S = {P | 3-Pi G Si ■ 3 ... 3P n £ S n ■ P(f(x 1 ,... ,x n )) 4= Pi(si) A ... A P n (x n ) £ A free } 


Lemma 43 For any S C P and any term t, S(t ) is derivable in yl^/ACUB iff S = {P £ P | 
P(t) is derivable in ,4/ACUB}. 

Proof: We do induction on the size of t. Let t =acud -si + ... + s m — t\ — ... — t n (m , n > 0) 
such that for 1 < i < rn we have s t = fi(sj ,..., sf ‘) for some free /{, and for 1 < i < n 
we have t t = (j t (t \,..., t 1 ?) for some free p.;. Let S = {P £ P | P(t) is derivable in ^l/ACUB}. 
First we show that (a) 5(f) is derivable in A' /ACUB ; then we show that (b) if S'(t) is derivable in 
UT/ACUP; for some S' C P then S' = 5. This will complete our proof. 
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Proof of (a) : For 1 < i < m, 1 < j < ki let Sj = {Q \ Q(s{) is derivable in A/ACUD}. 
By induction hypothesis Sj (sj) is derivable in A* /ACUD. For 1 < i < ri, 1 < j < U let Tl = 
{Q I Q{t 3 i) is derivable in A/ACUD}. By induction hypothesis T?(tj) is derivable in >41/ACUD. 
For 1 < i < m let Si = {Q \ 3Q 1 G S(j ■ 3 ... 3Q ki G Sf ■ Q(fi(x i,..., x ki )) 4= Q 1 (x i ) A 
• • • A Q ki (x ki ) G A free} ■ The clause Si(fi(x i,.. -,x ki )) 4= S}(x i) A ... A Sf(x ki ) G A*. So the 
atom Sj (sj) is derivable in A V ACUD for 1 < i < m. Similarly for 1 < i < n let T, = {Q \ 
3Q 1 G Tl ■ 3 ... 3Q U G T l f • Q(gi(x i,.. -,x h )) 4= A ... A Q li (x h ) G Af re e}- The clause 

Ti{gi(x i,..., xij) 4= Tf(x i) A ... A Tf(xi f ) G A. So the atom Tj(tj) is derivable in *4t/ACUD 
for 1 < i < n. 

For each P G S, the derivation (call it tt/<) of P(t ) has a functional support of the form Qf (si), 
..., Qf n (s m ),Q'f (ti),..., Q lP (t n ), and we have 


vrp = Qf(si) 


Qmi s r. 


qT 


(ti 


Qn(tr 


P(S\ + . . . + S m — t\ — . . . — t n ) 


(A e(? /ACUD) 


(9.6) 


For P G S', 1 < i < m, since Qf ($,) is in the functional support of np, it has a derivation 
which uses the clause Qf (fi(x i,..., x ki )) 4= Qf’ 1 (x i) A ... A Qf ,ki (x ki ) as the last clause, and for 
1 < j < k t the atom Qf 3 (sj) is derivable in A/ACUD. For P G S, 1 < i < m, 1 < j < ki, by 
definition of Sj, Qf J G Sj. For P G S, 1 < i < m, by definition of S t , Qf G S). Hence the atom 
Qf (asi ) is derivable in 23/ACUD for P G S, 1 < i < m. Similarly the atom Q'f (op) is derivable 
in 23/ACUD for P G S, 1 < i < n. Also by definition B eq = A eq • From (9.6) and Lemma 23, 

P(as 1 + ... + (iSm ~ a T x — ... — ap n ) is derivable in 23/ACUD for each PgS (*) 

We also claim that 


if P G P \ S then as 1 + ■ ■ ■ + as m - ap x ~ • • • - ap n £p(23/ACUD) (**) 

This is so because if P G P \ S and as 1 + ... + as m — apj — ... — ap„ G £p(23/ACUD), then the 
corresponding derivation (call it A) of P(as 1 + ... + ag m — ap, — ... — ap„) would have a functional 
support of the form Qi(asQ,..., Qm(as m ), Qi( a Ti), • • •, Q' n ( a T n ) where Q, G Si for 1 < i < m 
and Q' i G T, for 1 < i < n. We would have 


7 r' = Ql( a Si) ••• QmjaSm) ••• QiAtQ ... Qni a T n ) (9.7) 

P(as! + ... + as n - a Tl - ■ ■ ■ - a Tn ) 

For 1 < i < m, since Q, G S), by construction of .S’ t , Qi(si) would be derivable in A/ACUD. 
Similarly for 1 < i < n, Ri(U) would be derivable in A/ACUD. Hence by (9.7 and Lemma 23, 
P(si + ... + s rn — t\ — ... — t n ) would be derivable in A/ACUD. Hence we would have a derivation 
of P(t) in A /ACUD which would contradicts the definition of S. Hence claim (**) holds. 

Combining (*) and (**), as 1 + ... + as m — ap, — ... — ap n G C s . The derivation (call it 7r) of 
Ts , (a 5 1 + ... + as m — apj — ... — ap n ) in A/ACUD has a functional support of the form RijasQ, 
• • •, Rm ( a S m )j R'i ( a Ti)j • • •, R^(ar n ), and we have 


7 H = -ftlOrSl) ... R m{as m ) ... ^l( a Ti) ... R'n( a T n ) (9.8) 

——- - y^Seq/) 

Fs(as i + • • • + as m - OTi - ••• - apn) 

For 1 < i < m since the clause R^asf) G As, hence the clause Ri(x) <^= Si(x) G Also we 
know that Si(si) is derivable in aL/AOLJB. Hence Ri(-Si) is derivable in /ACUD for 1 < i < m. 
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Similarly R'ffU ) is derivable in yl^/ACUD for 1 < i < n. By construction As eq C A^eq By (9.8) and 
Lemma 23, Fg(si + ... + s m — t\ — ... — t n ) is derivable in A' /ACUB. Finally we use the clause 
S(x) - 4 = Fs(x) to get a derivation of S(si + ... + s m — t\ — ... — t n ), i.e. of 5(f) in yl^/ACUD. 
This proves (a). 

Proof of (b) : Now suppose S' C IP such that S'(t) is derivable in AS/PASTAS. We need to show 
that S' = 5. S'(x) - 4 = Fg>(x ) is the only clause which has the predicate S' in the head. Hence the 
derivation 7 Ti of S'(t) uses the clause S'(x) <= Fgi(x) as the last clause, and the atom Fg/(t) is deri¬ 
vable in tL/AOLJB using a derivation 7 t 2 which is strictly smaller than tt\. Again from examination 
of the clauses in AK n 2 has a functional support of the form 5}(si),..., T[[t \),..., Tfft n ) 

and we have 


vr 2 


s'M) 

R'i(si) 


(Ci) 



F S '(s i + ... + Sm 


T{(h) 

<(fi) 


(Ci) 


1 1 • • • t n ) 


K(tn) 

R'n(tn) 


(C' n ) 

(A^/ACUB) 


(9.9) 


where Ci = R"(x ) 4= S[(x) for 1 < i < m and C[ = R'"(x) 4= T'(x) for 1 < i < n. 

Hence for 1 < i < m, the clause R'-(ag >) £ Ag 1 ■ Hence the atom R" (ag') is derivable in 
Agt /ACUO for 1 < i < m. Similarly the atom R'"{a T i ) is derivable in „4g//ACUD for 1 < i < n. 
By (9.9) and Lemma 23, Fs'( a s( + • • • + ~ ut[ — • • • — ajv) is derivable in As> /ACUB. For 

1 < i < m the derivation of 5'(sj) in A^ /ACUB uses a clause 5'(/,(xi,..., x^J) T= 5' 1 (xi) A... A 
S , i ki (xk i ) £ A^ as the last clause, and for 1 < j < ki, the atom S’S(sj ) is derivable in A^ /ACUB. 
By induction hypothesis S'? = 5/. By definition of A\ S) — S, for 1 < i < m. Similarly for 
T[ = Ti for 1 < i < n. Hence 05 , + ... + ug rn — ar, — ... — ar n £ Cg>. We have already seen that 
ag 1 + ... + ag m — a — ... — ar n £ C s ■ Since the £ s ’s arc mutually disjoint by construction, so 
S' = S. □ 

Then as in the ACU case we conclude that 


Theorem 29 One-way ACUB automata are effectively closed under complementation. 


9.4 Counter-Example for Abelian Groups Automata 

The Abelian groups (ACUM) case is similar - to the ACUX case : the automata are not closed 
under complementation. Let our signature be S = {+, —, 0, a, /} where a is a constant and / is a free 
unary symbol. Define languages C\ = ACUM({/ n (a) — f m (a) \ n, m > 0}), £2 = ACUM({0}). 
Then C\ \ £ 2 = ACUM ({/"(a) — f m (a) \ n,m. > 0 and n m}). £1 and £ 2 are clearly accepted 
by one-way ACUM automata. However C\ \ £ 2 is not : 

Lemma 44 The language £ = ACUM ({f n (a) — f m (a ) | n,m > 0 and n m}) is not accepted 
by any one-way ACUM automaton. 

Proof: Assume on the contrary that there is a one-way automaton A with final state P such that 
£(„4/ACUM) = £. Let P be the set of predicates in A. For each n > 0 define S n = {Q £ P | 
Q(f n (a)) is derivable in A/ACUM}. Since P is finite it has finitely many subsets. Hence there are 
n, m £ N such that n m and S n = S m . Since n m hence f n (a) — f m (a) £ £. From Lemma 19 
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we have some t =acum / n ( a ) — / m ( a ) such that P(t) is derivable in „4/ACUD. We have terns f i, f 2 
and terms itj, v t for 1 < i < k for some /;; > 0 such that 

1. t] is functional and t\ =acum / n ( a ) 

2. t 2 is functional and t 2 =acum f m (a) 

3. for 1 < i < k, Ui and v, arc functional and u r =acum v i 

4 . t =acub 4 — t 2 + u\ — v\ + ... + u k — v k 

The derivation 7r of Pit) has a functional support of the form I(t i), J(t 2 ), J\ (ni ),..., 

4 (u k ), J k (v k ), and we have 


ir = I(ti) J(t 2 ) h(ui) Ji(vi) ... h{u k ) J k (v k ) ( 9 . 10 ) 

..'-- (^l e q/ACUD) 

We have I £ S n and J £ S m . However S n = S m , hence J £ S n . Hence /(/"(a)) and J(f n (a)) 
ai - e derivable in ,4/ACUM. From (9.10) and Lemma 23, P(f n (a ) — f n (a) + u\ — v\ + ... + u k — v k ) 
is derivable in A/ACUM. Hence P(0) is derivable in aI/AOLJM leading to contradiction. □ 

Since one-way ACUM automata arc closed under intersection, we have as before : 

Theorem 30 One-way ACUM automata are not closed under complementation. 


9.5 Counter-Example for ACUI Automata 

We show in this section that one-way ACUI automata arc not closed under complementation 
either. Let the signature be {+,0, a,/} where a is a constant and / is free unary symbol. Define 
languages C\ = ACUI({/ n (a) + f m {a) \ n,m > 0}) and C 2 = ACUI({/ n (a) | n > 0}). Then 
the language C\ \ C 2 = ACUI({/ n (a) + / m (a) | n,m > 0 and n / m}) is not accepted by any 
one-way ACUI automaton : 

Lemma 45 The language C = ACUI({/ n (a) + / m (a) | n, m > 0 and n / to}) is not accepted by 
any one-way ACUI automaton. 

Proof: Assume on the contrary that there is a one-way automaton A with final state P such that 
jC(A/ACUI) = C. Let P be the set of predicates in A. For each n > 0 define S n = {Q £ P | 
Q{f n {a)) is derivable in A/MAUI). Since P is finite it has finitely many subsets. Hence there are 
n,m £ N such that n A m an d S n = S m . Since n A m hence f n {a) + f m (a ) £ C. From 
Lemma 19, we have some t =acui / n ( a ) + f m ( a ) suc h that Pit) is derivable in A/ACU. We have 
terms si,..., s p , t\,..., t q for some p, q > 1 such that 

1. for 1 < i < p. Si is functional and s* =acui / n («) 

2. for 1 < i < q, ti is functional and ti =acui / m («) 

3. t =ACUn Si + . . . + Sp + ti + . . . + tq 

The derivation 7r of Pit) has a functional support of the form ii(si),..., I p (s p ), -I \(t\),..., J q {t q ) 
and we have 
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7 T = I 1 (S 1 ) ... Ip(Sp) Jl(tl) ... Jg{t q ) 

m 


(^eg/ACU) 


(9.11) 


We have I \,... ,I V G S n and J),..., J q G S' m . However ,S' n = ,S m , hence Ji,..., J q G S n . 
Hence Ii(f n (a )),..., I p (f n (a)), Ji(f n (a)),... , J q (f n (a)) is derivable in gI/ACUI. From (9.11) 
and Lemma 23, P(f n (a) + ... + f n (a)) in Gl/ACUI. Hence P(f n (a)) is derivable in Gl/AOJI 


p+q times 

leading to contradiction. 

Since one-way AQLJI automata are closed under intersection we have : 


□ 


Theorem 31 One-way ACUI automata are not closed under complementation. 


9.6 Conclusion 

We have studied the question whether one-way equational tree automata are closed under comple¬ 
mentation, for the AC-like theories. The answer to this question is strikingly different than the answer 
to complementation. We showed that for the theories AC, ACU and A CUD, which arc linear, the one¬ 
way tree automata arc closed under complementation. For the remaining theories ACUX, ACUX n , 
ACUM and ACUM, which arc non-linear, the one-way tree automata arc not closed under comple¬ 
mentation. Hence we have fully answered the question of closure under complementation for one-way 
equational tree automata. The above coincidence between lineality of equational theories and closure 
under complementation of one-way equational tree automata does not generalize to all theories. For 
example, one-way A tree automata arc not closed under complementation. 
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Chapitre 10 


Automates d’arbres equationnels 
bidirectionnels 

(Two-Way Equational Tree Automata) 


Ayant traite les proprietes de cloture et de decidabilite des automates equationnels unidirection- 
nels, nous nous interessons maintenant aux automates d’arbres equationnels bidirectionnels. Nous 
montrons dans ce chapitre que les automates d’arbres equationnels bidirectionnels (pour toutes les 
theories que nous considerons sauf AOJI) peuvent etre effectivement reduits aux automates unidi- 
rectionnels. Ainsi, ils ont la meme expressivite que les automates unidirectionnels. Ils ont aussi les 
memes proprietes de decidabilite et de cloture que les automates unidirectionnels. En particulier le 
vide d’intersection de ces automates equationnels bidirectionnels est decidable, ce dont nous avons 
besoin dans le contexte de la verification de protocoles cryptographiques, par exemple, dans la mode- 
lisation du protocole de Diffie-Hellman en groupe du chapitre 5. Le cas d’automates bidirectionnels 
modulo ACUI est aujourd'hui encore ouvert. 
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Having dealt with the closure and decidability properties of one-way equational tree automata, we 
now turn our attention to two-way equational tree automata. We show in this chapter that two-way 
equational tree automata (for all our theories under consideration except ACUI) can be effectively 
reduced to one-way automata. Thus they have the same expressiveness as the one-way automata. 
They also have the same closure and decidability properties as the one-way automata. In particular 
intersection emptiness of these two-way equational tree automata is decidable, which is what is needed 
in the context of verification of cryptographic protocols, e.g. in the modeling of group Diffie-Hellman 
protocol in Chapter 5. The two-way ACUI case is currently open. 

10.1 Two-Way ACU Automata 

We show in this section that two-way ACU automata can be effectively reduced to one-way ACU 
automata. We fix a signature S containing at least the symbols + and 0. 

We describe a saturation procedure which adds new epsilon clauses to two-way automata, until 
the free push clauses become redundant. Consider a two-way automaton A with predicates from P. 
We introduce a new set S = {cip \ P G P} of constants. We define automaton B = A eq U {P(ap) \ 
P G P}. For P G P, Cp(B/MAU) is a semilinear set. In particular - membership of an element in 
£p(S/ACU) is decidable. 

If there is a free push clause 


R(xi) <= P{f{x i,... ,x n )) A .RiAq) A ... A R A ... A R\(x ik ) A ... A R'^ k (x ik ) G A 

and a free pop clause 


Q(f (®i) ■ ■ ■; -x n )) Qi (xi ) A ... A Qn(x n ) G A 

such that 

1. clq G £p(„4/ACU) 

2. Vj G {1, each of the predicates Q^, R 1 -,..., i?" J accepts t in Acme-way / MX 

3. Vj G {1,..., n} \ {i, h ,..., i k } ■ 3 1 ■ Qj accepts t. in A one - W ayl ACU 

then we write A \> A U { P(x t ) -E= Qi(xi)}, which we take to constitute the base step of our 
saturation procedure. The idea is that if a free push clause is ever used then the corresponding symbol 
/ must have been introduced by some free pop clauses. However in between the applications of the 
free pop clause and the free pop clauses, there might be some applications of the clauses of A eq . In 
the above construction, the automata B represents the possible derivations using clauses of A eq . The 
constants ap are used as abstractions for functional terms accepted at P. 

The base step of our saturation procedure is harmless : 

Lemma 46 Let A O A U { P(x, ) <^= (J, (xj)} as above. Then any atom derivable in A U { R(x, ) x= 
Qi(xi) }/ACU is also derivable in A/MX. 

Proof: It is sufficient to show that 

for any A, if Qi(U) is derivable in Vl/ACU, then i?(A) is derivable in yl/ACU (*). 

This is because given an arbitrary derivation it in which the clause R(xi) A= Qi(xi ) is used N > 1 
times, we can pick a subderivation ir su b of i r which uses the clause R(xi) A= Q,(x t ) at the root but 
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nowhere else. Using (*) we have a subderivation tv' ub which uses only the clauses of A and which has 
the same conclusion as Tv su b. We replace the subderivation in 7r by the subderivation tv' ub , to get 
a subderivation tv' which has the same conclusion as 7r and which uses the clause R(xi ) <= Q h (x t ) 
N — 1 times. By iterating this process N times we get a derivation which has the same conclusion as 
7r and which does not use the clause R{xi) <= Qi(xi). 

Now we proceed to prove (*). As in the definition above, let ti j be some term accepted in A/ACU 
at the predicates Q ^, R 1 -, ..., II" 1 for j G {1...., A:}. Also let tj be some term accepted in A/ACU at 
Qj for j € {1,..., n} \ {i, i \,..., ik}- Then ..., t n )) is derivable in A/ACU using the free 

pop clause. As uq G £p(A/ACU), the derivation (call it tv\) of P(aq) in Z3/ACU has the functional 
support Q(clq) and we have 


_ S (6 e9 / A CU) (iai) 

P{a Q ) 

Also by definition B eq = A eq . Hence from the fact that . .., t n )) is derivable in A/ACU, 

and using (10.1) and from Lemma 21, we get a derivation of P(f(t i,..., t n )) in A/ACU. Using the 
free push clause we get a derivation of R(ti) in A/ACU. This proves (*). □ 

The converse is trivially true. Thus A and A U { R(xi ) <= Qi(xi)} have the same set of derivable 
atoms modulo ACU. 

Given a two-way ACU automaton A our saturation procedure consists of (don’t care non deter¬ 
ministically) generating a sequence Ao(= A) O Ai t> A 2 --- of automata, until no new clauses can 
be added. This procedure always terminates because there are only a finite number of epsilon clauses 
possible. (If the number of predicates in P is n then the number of epsilon clauses possible is n 2 .) 
Let the final (saturated) automaton be C. Then it is clear that A and C have the same set of derivable 
atoms. Then we remove clauses (3.13) from C to get a one-way automaton C one - way . This last step is 
also harmless : 

Lemma 47 If any atom is derivable in C/ACU, then it is derivable in C one - way / ACU. 

Proof: It is sufficient to show the following property : 

(*) if 7T is a derivation in C/ACU and tv uses a push clause at the root but nowhere else, then there 
is a derivation tv' in C one - way / ACU which has the same conclusion as tv. 

This is because if there is a derivation tv\ in C/ACU which uses free push clauses N times, then 
we can choose a minimal sub-derivation Tv su b of tv\ which uses a free push clause at the root but 
nowhere else. Using (*) there is a derivation Tv' sub in C one - way /MZU which has the same conclusion 
as tv su b. Then we replace the subderivation tv su b in tv\ by the derivation Tv' sub to get a derivation tv\ 
which uses free push clauses N — 1 times and which has the same conclusion as tv\. By iterating this 
procedure N times we get a derivation in C one - way which has the same conclusion as tv\. 

Now we proceed to prove (*). So we assume a derivation tv in C/ACU of R(ti) which uses the 
free push clause R(xf) <1= P(f(x i,... ,x n )) A A ... A Rf 1 (xi 1 ) A ... A R\(xi k ) A ... A 

R'lf ixib) as the last clause, and does not use a free push clause anywhere else. Hence the atoms 
P(f(h, ■ ■ .,t n )),R{(ti J,... .. ,, Rl(t ik )... ,,Rl k (t ik ) are derivable in C one - way /ACU. 

The derivation (call it 7r2) of P{f(t \,..., t n )) has the functional support Q(f(t i,..., t n )) for some 
Q, and we have 
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7T2 = Q{f{h, . . . .t n )) 


(C eq / ACU) 


( 10 . 2 ) 


Define automaton V = C eq U {R(ajt) \ R G IP}. The atom Q(ciq) is derivable in D/ACU. . Since 
C eq = V eq , hence from (10.2) and Lemma 21, P(oq) is derivable in P/ACU. Now the derivation of 
Q(f(h, • • •, A)) in C one - W ay uses some clause Q(f(x i,... ,x n )) 4= Q i(xi) A ... A Q n (x n ) as the 
last clause, and the atoms Qi(ti),..., Q n (t n ) arc derivable in C one - way / ACU. In the base step of the 
saturation procedure described above, by replacing the automata A and B by the automata C and V 
we have that C O C U {R(xi) -4= Qi(xi)}. But C is already saturated, hence R(xi) -4= Qi(xi) € C. 
Also Qi(ti ) is derivable in C one - way /ACU. Hence R(ti) is derivable in C one - way /ACU. □ 

The converse is trivially true. Hence C has the same set of derivable atoms as C one - W a y • Also we 
have already seen that C has the same set of derivable atoms as A. Hence by letting the final state of 
the automaton Cone-way to be the same as the final state of the automaton A, we have 

Theorem 32 A two-way ACU automaton can be effectively converted to a one-way ACU automaton 
accepting the same language. 

As we have shown that one-way ACU automata arc effectively closed under intersection and 
complementation, we have : 


Corollary 3 Two-Way ACU automata are effectively closed under intersection and complementation. 


10.1.1 Two-Way AC Automata 

As in the case of intersection and complementation of one-way ACU tree automata, observe that 
the presence of the unit symbol 0 is not at all crucial for the above proof. The same proof with minor 
modifications works for the AC case. We merely state the result without repeating the proof : 

Theorem 33 A two-way ACU automaton can be effectively converted to a one-way ACU automaton 
accepting the same language. In particular they are effectively closed under intersection and comple¬ 
mentation. 


10.2 Two-Way ACUX and ACUX n Automata 

We show in this section that two-way ACUX (resp. ACUX„) automata can be effectively reduced 
to one-way ACUX (resp. ACUX n ) automata. 

Consider a two-way ACUX automaton A with predicates from P. As in the ACU case, to convert it 
to a one-way ACUX automaton, we describe a saturation procedure which adds new epsilon clauses 
till the push clauses become redundant. The idea is that if any push clause is ever used then the 
corresponding free functional symbol must have been introduced by some pop clause. But the clauses 
from A eq might have been used in between to add new terms, which eventually get canceled using C 
to leave only one functional term. Below, the b” s act as abstractions for the terms that arc canceled, 
and a’s for the terms which remain. 

We introduce new sets S\ = {ap \ P G P} and S 2 = {bp t Q | P, Q G P}. We do not distinguish 
between bp^Q and 6 q,p- We define B = A eq U { P(ap) \ P G P} U {P(bp : Q) | P, Q G P}. 

Then £p(P/ACU) is a semilinear set for every P. For P. Q G P and S C S 2 , define C i>,q,s.A to 
be the set of t G Cp(B/ ACU) such that 
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1. a,Q occurs in t exactly once 

2. \/Q' / Q ■ ciQ / does not occur in t 

3. each constant in S occurs in t a positive and even number of times 

4. no constant from S-> \ S occurs in t 

Clearly C i\q.s.A is a l so semilinear because it is Presburger-definable. In particular, we can effec¬ 
tively check its emptiness. 

If A has a free push clause 


R(xi ) <1= P{f{x 1 ,... ,x n )) A R\(xi i) A ... A R^ 1 (x il ) A ... A R\(x ik ) A ... A R^ k (x ik ) 

, a free pop clause 

Q(f(x\. ■ ■ ■ , %n)) Q i(xi) A ... A Qn{Xn) 

and there is a set S C Sj such that 

1 - £p,Q,S,A A 0 

2. V6q/ i(3 // G S' • 3i- both Q' and Q" accept t in ^l one _ way /ACUX 

3. Vj G {1, ...,/?}• Eli- each of the predicates i?j,..., i?” J accepts f in Aone-way/ACUX 

4. Vj G {1,..., n} \ {i, ii ,..., i k } ■ 3t ■ Qj accepts t. in Vlone-imy/ACUX 

then we will write A > A U { R(x t ) -4= Qi(x t )\, which we take to constitute one step of our sa¬ 
turation procedure. This can be effectively decided because of the fact that one-way ACUX-automata 
are closed under intersection and hence their intersection emptiness is decidable. The saturation step 
is harmless : 


Lemma 48 Let A l> A U { R(x,) (J,(,Xj) } as above. Then any atom derivable in A U { R(x,) <= 

Qi{ x i) }/ACUX is also derivable in A/ACUX. 


Proof: As in the ACU case, it is sufficient to show that for any ti, if Q t (t t ) is derivable in A/ACUX, 
then R(ti) is derivable in A/ACUX. As in the definition above, let t r . be the term accepted at the 
predicates Q lj , 7?j...., R r - :I in A/ ACUX for j G {1,..., k\. Also let t :j be the term recognized at Qj 
in A/ACUX for j G {1,... ,n} \ {i,ii, ■ ■ ■ Ak}- Q(/(ii, • • • An)) is derivable in A/ACUX using 


the pop clause. As £p,q,s,A A 0' there is an atom of the form P(uq + 26^ + ... + 2 

derivable in £>/ACU, with p > 0 and bq/q" G S for 1 < i < p. Let iq be the term accepted at Q\ 
and Q" in Aone-way /ACUX. The derivation (call it ir) of P(oq + 2 + ... + 26q/ ji q//) has a 


functional support of the form Q(a Q ), Q[(b Q > ltQ >>), Qi^q^q"), • • •, QpAq^q"), Qp{b Q > p ,Q>‘ 


where 


Q\, Ql G {Q[, Q”}. We have 


7 r = Q( a Q) Q\Aq\,Q’-() Q\i h Q\.Q'l) ■■■ Ql( b Q' P -Q”) Ql( b Q' P -Q ») ( £/ ACU) (10.3) 

P(CLQ + 2 + ■ ■ ■ + 2 b Q ^ Q n) 

Also by definition B eq = A eq . Hence using (10.3) and Lemma 21, and the fact that the atoms 
..., t n )), Q[{ui), Q'-(ui),..., Qp(u p ), Qp(u p ) are derivable in A/ACUX, we get a deriva¬ 
tion of P(f(t \,..., t n ) + 2iti + ... + 2 Up) in A/ACUX. Hence P(f(ti ,..., t n )) is derivable in 
A/ACUX. Finally we use the free push clause to get a derivation of R(t *) in A/ACUX. □ 
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The converse is trivially true. Thus A and A U { R(xf) -4= Q r (x t )} have the same set of derivable 
atoms modulo ACUX. 

Given a two-way ACUX automaton A our saturation procedure consists of (don’t care non- 
deterministically) generating a sequence Ao(= A) \> A\ \> A)--- until no new clauses can be gene¬ 
rated. This always terminates because there are only a finite number of epsilon clauses possible. Let 
the final (saturated) automaton be C. Then we remove the free push clauses from C to get a one-way 
automaton C one - way . This step is also harmless : 

Lemma 49 If any atom is derivable in C/ACUX, then it is derivable in C one - way / 'ACUX. 

Proof: As in the ACU case, it is sufficient to show that for every derivation in C/ACUX, which uses 
a free push clause at the root and nowhere else, there is a derivation in C one - way / ACUK with the 
same conclusion. So we assume a derivation tt in C/ACUX of atom Il{t r ) which uses a push clause 
R(xi) 4= P{f{x i,.. .,x n )) A RKxif) A ... A R r l 1 (x il ) A ... A R\(x ik ) A ... A R% k (x ik ) as the 
last clause, and does not use a free push clause anywhere else. Hence the atoms P(f(t i,..., t n )), 
i), • • • ,Rl(U k ),..., R% k (U k ) are derivable in C one - way / ACUX. By Lemma 19, 
there is some t =acux /(ft,.. • •, t n ) such that P(t) is derivable in C one - way /ACU. We have t =acu 
f(t \,..., t' n ) + u\ + v\ + ... + Up + v p for some p > 0 such that for 1 < i < n,t% =acux t', and 
for 1 < i < p, Ui and v, are functional and u, =acux v i- The derivation (call it tt) of P(t) has a 
functional support of the form ..., C n )), Ii(ui), ..., I p (u p ), J p (v p ), and we have 


vr = Q(f(t' 1 ,...,t' n )) h(ui) Ji(ni) ... I p (u p ) J p (v p ) 

m 


(Ceg/ACU) 


(10.4) 


Define automaton V = C U {Pihpcf P. Q G P}. The atom Q(ciq) as well as the atoms 
Ii(pii,Ji) an d Ji(bii,Ji) for 1 < i < p ai - e derivable in D/ACU. Also V eq = C eq . Hence from 
(10.4) and Lemma 21, P(oq + 26/^jj + ... + 2 bj p: j p ) is derivable in D/ACU. Let S = {(Ii, Jf), 
... ,(I p , J p )}. Then cleaidy Cp,Q,s,c f 0- The derivation of use s some clause 

Q{f(x i,... ,x n )) <= Qi(x\) A ... A Q n {x n ) as the last clause, and the atoms ..., Q n {t ' n ) 

are derivable in Cane-wap/A CU. For 1 < i < n, as t\ =acux hence QfU) is derivable in 
Cone-way /ACUX. By replacing the automata A and B in the base step of the saturation procedure 
above by the automata C and V, we have that Ct>CU { R(x t ) -t= Qi(xi)}. But C is already saturated, 
hence R(xf) A= Qi(xi) £ C. Also Qftf) is derivable in Cone-^a^/ACUX. Hence R(tf) is derivable 
in C one - way / ACUX. □ 

The converse is trivially true. Then as in the ACU case, we have 


Theorem 34 A two-way ACUX automaton can be effectively converted to a one-way ACUX auto¬ 
maton accepting the same language. 


10.2.1 Generalization to the ACUX,, Case 

As for the results on the closure under intersection of one-way automata, the above results on 
two-way ACUX automata generalize easily to two-way ACUX n automata. Again the only difference 
from the ACUX case is that in derivations, n-tuples of equal terms cancel together instead of pairs of 
equal terms. We give the saturation procedure without repeating the proofs. 

Consider a two-way ACUX„ automaton A with predicates from P. In the construction below, the 
b ”s act as abstractions for the terms that arc canceled, and o’s for the terms which remain. 
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We introduce new sets S i = {ap P 6 P} and S 2 = | P\,... ,P n £ P}. The 

order of the predicates P\,... , P n in 6p 1 ,...,p n is ignored. We define B = A eq U {P(ap) \ P £ 
P} u {-Pt(^Pi,...,P n ) I Pi, ■ ■ ■ ,Pn € Pi- 

Then £p(£>/ACU) is a scniilincar set for every P. For P. Q G P and 5 C ,3’ 2 , define A p.q.s.A to 
be the set of t £ £p(/3/ACU) such that 

1. tiQ occurs in t exactly once 

2. \/Q' / Q • ciqi does not occur in t 

3. each constant in S occurs in i a kn number of times for some k > 1 

4. no constant from S-> \ S occurs in t 

Clearly C p.q.s.A is a l so scmilincar because it is Presburger-definable. In particular, we can effec¬ 
tively check its emptiness. 

If A has a free push clause 


R(xi) 4= P{f{x 1 ,.. .,x n )) A R^xq) A ... A R^ 1 (x il ) A ... A R l k {x ik ) A ... A R'^ k (x ik ) 

a free pop clause 

Q(f (x l. • ■ ■ , X n )) 4 = Ql(xi) A ... A Qn{.Xn ) 

and there is a set S C S 2 such that 

1 - £p,Q,S,A / 0 

2- qt n €. S -3t- each of the predicates Q[,, Q' n accept t in A on e-way /ACUX,,. 

3. Vj G {1,..., k} ■ 3t- each of the predicates Qjj. //j,..., Rj J accepts t in A on e-way / ACUX„ 

4. Vj G {1,..., n} \ {i, h,..., i k } ■ 3 1 ■ Qj accepts t in -4 one - wa j//ACUX n 

then we will write A > A U {R(xi) -4= Qi(xi)}, which we take to constitute one step of our satu¬ 
ration procedure. This can be effectively decided because of the fact that one-way ACUX n -automata 
arc closed under intersection and hence their intersection emptiness is decidable. The rest works as in 
the ACUX case. We merely state the final result : 

Theorem 35 A Two-way ACUX,,, automaton can be effectively converted to one-way ACUX„, auto¬ 
maton accepting the same language. 

10.3 Two-Way ACUIED Automata 

In this section we show that two-way ACUD automata can be effectively reduced to one-way 
ACUD automata. We fix a signature S containing at least the symbols +, — and 0. Consider a two-way 
ACUD automaton A with predicates from P. We describe the base step of our saturation procedure 
that adds an epsilon clause. The new sets of constants used are S = {ap \ P G P| and S = {ap \ 
P G P|. We define the automaton B = A eq U { P(ap) \ P G P|. From Theorem 18, for every P G P. 
£p(S/ACUD) is a semilinear set on the constants from S U S. In particular we can effectively check 
whether o,q G £p(£>/ACUD) for P, Q G P. 

If A contains a free push clause 

R{xi) 4= P{f{x 1,.. .,x n )) A R\{x ix ) A ... A R^ 1 (x il ) A ... A Rl{x ik ) A ... A R% k (x ik ) 
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a free pop clause 

Qi.ffal j • • ■ i •Kn )) 4= Ql(a;i), ■ • • , Qn(%n) 

and a set S C .Sj such that 

1. oq G £ P (P/ACUB) 

2. Vj G {1,..., k} ■ 3t- each of the predicates Q Pj...,, RP accepts £ in -4 one _ way /AClLJB 

3. Vj G {1,..., n} \ {*,n, ...,4} • 3f • Qj accepts t in Aone-way / MX® 

then we write A O A U { R(x r ) <t= Qi(xi)}, which we take to constitute the base step of our 
saturation procedure. 

The base step of our saturation procedure is harmless : 

Lemma 50 Let A O A U { R(xf) <t= (f(xj )} as above. Then any atom derivable in A U { R(x, ) <t= 
Qj(xj)}/ACUD is also derivable in A/ACUB. 

Proof: As for the previous theories it is sufficient to show that for any A, if Qftj) is derivable in 
Vl/ACUB, then R(t r ) is derivable in Vl/ACUB. As in the definition above, let ti j be some term 
accepted in A/A OLJB at the predicates Q tj , Pj,..., pA for j G {1,..., k}. Also let tj be some 
term accepted in A/ACUB at Qj for j G {1,.,., n} \ {i, 4,..., 4}- Q(/(£i, 4)) is derivable 

in Vl/ACUO using the free pop clause. As oq G £p(Vl/ACUB), the derivation (call it 7Ti) of P(oq) 
in 0/ACUB has the functional support Q(ao) and we have 


7Fl “ == (Beq/- ACUB) 

P{a Q ) 


(10.5) 


Also by definition B eq = A eq . Hence from the fact that Q{f(t \,..., t n )) is derivable in A/ACUB, 
and using (10.5) and from Lemma 23, we get a derivation of P(/(fi,..., t n )) in A/AOLJB. Using 
the free push clause we get a derivation of R(ti) in A/ACUB. This proves (*). □ 

The converse is trivially true. Thus A and A U { Il(x j ) <t= Q r (x t )} have the same set of derivable 
atoms modulo ACUB. 

Given a two-way ACUB automaton A our saturation procedure consists of (don’t care non deter¬ 
ministically) generating a sequence Ao(= A) l> A\ l> As--- of automata, until no new clauses can 
be added. This procedure always terminates because there are only a finite number of epsilon clauses 
possible. (If the number of predicates in P is n then the number of epsilon clauses possible is n 2 .) 
Let the final (saturated) automaton be C. Then it is clear that A and C have the same set of derivable 
atoms. Then we remove clauses (3.13) from C to get a one-way automaton C one - way . This last step is 
also harmless : 


Lemma 51 If any atom is derivable in C/ACUB, then it is derivable in C one - way / ACUB. 

Proof: As for the previous theories it is sufficient to show that for every derivation in C /ACUB which 
uses a free push clause at the root but nowhere else, there is a derivation in C one - way / ACUB with the 
same conclusion. So we assume a derivation 7r in C/ACUB of atom R(ti) which uses the free push 
clause R(xi) 4= P{f{x i,. . .,x n )) A Pi(xq) A ... A A ... A R\(x ik ) A ... A R^ k {xi k ) as 

the last clause, and does not use a free push clause anywhere else. Hence the atoms P(f(t i,..., t n )), 
Pi (4), • • •, Pi 44), • • •, Pfc(4)> ■ ■ ■, 22)4(4) are derivable in C one _ wa2/ /ACUB. The derivation 
(call it 7T2) of P{f(t \ ■..., 4)) has the functional support Q(f(t i,..., 4)) for some Q, and we have 
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712 = Q(f(h, . . . .t n )) 

■ ■ -An)) 


(C eg /ACUD) 


( 10 . 6 ) 


Define automaton V = C f:q IJ { R(ap) \ R £ IP}- The atom Qffo) is derivable in D/ACUD. Since 
C eq = V eq , hence from (10.2) and Lemma 21, P(oq) is derivable in D/ACUD. Now the derivation of 
Q(f(h, ■ ■ ■ ,t n )) in Conaway I ACUD uses some clause Q(f(x i,... ,x n )) 4 = Q\{x{) A... AQ n (x n ) 
as the last clause, and the atoms Qi(ii),..., Q n (t n ) are derivable in C one - way / ACUD. In the base 
step of the saturation procedure described above, by replacing the automata A and B by the automata C 
and V we have that C > C U { R(xi ) -4= Qi(xi)}. But C is already saturated, hence R(xi) -4= Qi(xi ) G 
C. Also Qi(U ) is derivable in C one _^ a2/ /ACUD. Hence P(p) is derivable in Cane-way/ ACUD. □ 


Theorem 36 Two-way ACUD automata can be effectively converted to one-way ACUD automata. 


10.4 Two-Way ACUM Automata 

In this section we show that two-way ACUM automata can be effectively reduced to one-way 
ACUM automata. Fix a signature S containing at least the symbols +, — and 0. Consider a two- 
way ACUM automaton A on signature S with predicates in P. The new sets of constants used arc 
Sj = {a P | P G P}, ST = {off | p £ P}, s 2 = {bp, Q | P,Q £ P}, and S^ = {bff^ \ P,Q € P}. 
We define B = A eq U { P(ap ) P G P} IJ { P(bpq) P. Q G P}. Then from Theorem 18, for every 
P, £p(P/ACUD) is a semilinear set on constants from Si U S 2 U Si U S 2 . For P, Q G P and S C S 2 , 
define Cp t Q,s,A be the set of t G £p(P/ACUD) such that 

1. ciq occurs in t exactly once 

2. YQ' A Q ' a Q' does not occur in t 

3. each constant in S occurs in t at least once 

4. no constant from S 2 \ S occurs in f 

5. for each 1>i\q G S 2 , 1>p.q occurs exactly as many times as l>r\Q in t 

Then C p.Q.s.A is a l so semilinear because it is Presburger-definable. In particular, we can effecti¬ 
vely check its emptiness. 

If A has a free push clause 

R(xi) 4= P(f(x i,.. .,x n )) A R\(x h ) A ... A Rff 1 (x il ) A ... A Rl(x ik ) A ... A P^(x ifc ) 


a pop clause 

Q(,/(,•£ 1 j • • • j 37n)) 4= Q i (xi), . . . , Qn(T'ji) 

and a set S C S 2 such that 

T Pp,Q,S,A / 0 

2. YbQ' Q" G S • 3t- both Q' and Q" accept t in Aone-^ay/ACUM 

3. Vj G {1,..., k} ■ 31- each of the predicates Qi j: Pj,..., P" J accepts t in Aone-^ay/ACUM 

4. Vj G {1,..., n} \ {i, *i,..., ik} ■ 3t ■ Qj accepts t in Vl one -M)ay/ACUM 

then we write A > AU {R(xi) -4= Qi(xi)}, which is one step of our saturation procedure. 
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Lemma 52 Let A O A U { R(x,) -4= Q-fx,)} as above. Then any atom derivable in A U { R(x t ) <= 
Qi(a:j)}/ACUM is also derivable in ,4/ACUM. 

Proof: As for the previous theories, it is sufficient to show that for any tj, if QfU) is derivable 
in A/ACUM, then 11(1,) is derivable in A/ACUM. As in the definition above, let t l/ be the term 
accepted at the predicates Q, j . Rj..... R -' in A/AOLJM for j £ {1,... , k \. Also let tj be the term 
recognized at Qj in ,4/ACUM for j £ {1,..., n} \ {i, i±,..., if). ..., t n )) is derivable in 

A/ACUM using the pop clause. As jCp,q,s,A / 0* there is an atom of the form P(oq + — 

bQL.Q”) + • • • + (pQp,Qp ~ b Q' P ,Q ")) derivable in R/ACUD, with p > 0 and b Q ^ Q n £ S for 1 < 
i < p. Let Ui be the term accepted at Q\ and Q'[ in A one _ wny /ACUM. The derivation (call it 7r) 
of P(a Q + (b Q f i Q fi - b Q ’ i Q 'i) + ... + \b Q ^ Q n - b Q/ptQ »)) has a functional support of the form 

QM, Qi(b Q ' it Q»), Qi(6q',q"). ■ ■ ■. Qp{b Q ’ p ,Q’’), Qp(b Q > p , Q ») where Qt, Q\ £ {QJ, QJ'}. We have 


vr = QM Qi( b Q\.Q\') ••• QU b Q> P -Q>') Ql^Q' v -Q\ g) (jg / ACU) (10.7) 

p (a Q + (bQ'^Q'l ~ 6 Qi,Qi') + • • • + (Pq> p ,q» - b Q ’ p:Q »)) 

Also by definition B eq = A eq . Hence using (10.7) and Lemma 23, and the fact that the atoms 
Q(f(ti,..., Qp(u p ), Qp(u p ) are derivable in ,4/ACUM, we get a deriva¬ 
tion of P(f(ti,... ,tn) + («i — ui) + ... + (u p — u p )) in ,4/ACUM. Hence P(f(t\,... ,tn )) is 
derivable in A/AOLJM. Finally we use the free push clause to get a derivation of Pit, ) in A/ACUM. 
□ 

The converse is trivially true. Thus A and A U { R(x t ) <= Qi(xi)} have the same set of derivable 
atoms modulo ACUM. 

Given a two-way ACUM automaton A our saturation procedure consists of (don’t care non- 
deterministically) generating a sequence Ao(= A) O A\ O Ai— until no new clauses can be gene¬ 
rated. This always terminates because there arc only a finite number of epsilon clauses possible. Let 
the final (saturated) automaton be C. Then we remove the free push clauses from C to get a one-way 
automaton C one - way . This step is also harmless : 

Lemma 53 If any atom is derivable in C/ACUM, then it is derivable in C one - way /ACUM. 

Proof: As before, it is sufficient to show that for every derivation in C/ACUM, which uses a free 
push clause at the root and nowhere else, there is a derivation in C on(:ay /ACUM with the same 
conclusion. So we assume a derivation 7r in C/ACUM of atom 11(1,) which uses a free push clause 
R(xi) <= P(f(x i,.. .,£„)) A Ri(x h ) A .. .A A .. ,AR\(x ik ) A ... A R% k (x ik ) as the last 

clause, and does not use a free push clause anywhere else. Hence the atoms P(f(t \,..., t n )), /t| (A,), 
..., -R” 1 (t q R\ ( ti k ),..., Rl k ( ti k ) are derivable in C one - way /ACUM. By Lemma 19, there is 
some t =acum f(h, ■■■An) such that P(t) is derivable in C one _ way /ACUD. We have t =acub 
f(t\,... An) + u i — v\ + ... + Up — v p for some p > 0 such that for 1 < i < nAi =acum t) and 
for 1 < i < p, Ui and v, arc functional and u, =acum A. The derivation (call it 7r) of P(t) has a 
functional support of the form Q(f(t' li ..., t' n )),h{ui), Ji{v i),..., I p (u p ), J p (v p ), and we have 


11 Q(f (fh ■■■ An)) h(ui) Ji(v\) ... Ip('Up) Jp(Vp) 


(C e5 /ACUD) 


P(t) 


( 10 . 8 ) 
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Define automaton V = C U { P(J>p.q) \ P,Q € P}. The atom Q(oq) as well as the atoms 
Ii{bii,Ji) and for 1 < i < p are derivable in 27/ACUB. Also V eq = C eq . Hence from 

(10.8) and Lemma 23, P{ciq + ( b IuJl - b Il j 1 ) + ... + (6/ P) j p - 6/ pj j p )) is derivable in D/ACUB. 
Let S = {(/i, Ji),..., (Ip, J p )}. Then clearly Cp,Q,s,c A 0- The derivation of ... ,t\ J) 

uses some clause Q{f{x i,... ,x n )) 4= Qi(xi) A ... A Q n (x n ) as the last clause, and the atoms 
Qi(i'i), • • •, Qn{t' n ) are derivable in C one - way /hJCAM. For 1 < i < n, as t\ =acum U, hence Qi{U) 
is derivable in Cane-way /ACUM. By replacing the automata A and B in the base step of the saturation 
procedure above by the automata C and V, we have that C O C LJ { R(xi) 4= Q,:(.x',;) }. But C is already 
saturated, hence R(xi) 4= Qi(xi ) £ C. Also Qi(U ) is derivable in C one _ wa2/ /ACUM. Hence R(ti) is 
derivable in Cone-way /ACUM. □ 

The converse is trivially true. Hence as before we have 

Theorem 37 A two-way ACUM automaton can be effectively converted to a one-way ACUM auto¬ 
maton accepting the same language. 

10.5 Two-Way ACUI Automata 

While the one-way ACUI automata arc known to be closed under intersection and not close under 
complementation, unlike in the other theories, we do not know whether the two-way automata have 
the same expressiveness as the one-way automata. Still we do know that the two-way ACUI automata 
arc powerful enough to express alternation : the clause P(x) P\ (x) A Pjfx) can be translated 
as Qi(f(x)) 4= P 1 (x),Q 2 (f(x)) 4= P 2 (x),Q(x + y) 4= Qffx) A Q 2 {y),P(x) 4= Q{f(x)) for 
fresh predicates Qi,Q 2 ,Q and unary free symbol /. We have already seen that alternation produces 
undecidability for ACU, ACUB and ACUM theories. This suggests that this problem is difficult and 
might require new techniques. 

10.6 Conclusion 

We have shown that except for the theory ACUI, for all other AC theories we deal with (AC, 
ACU, ACUX, ACUX n , ACUM), the two-way automata are reducible to equivalent one-way auto¬ 
mata. The constructions involved saturation procedures which added new epsilon clauses until the free 
push clauses in the automata become redundant. The ACUI case has been left open. In particular these 
automata (except in ACUI case) have the same decidability and closure properties as the correspon¬ 
ding one-way automata. In particular intersection-emptiness of these two-way automata is decidable, 
which is what is needed from the point of view of cryptographic protocols. For example, recall that 
the modeling of the group Diffie Heilman protocol in Chapter 5 is done using two-way ACU and 
ACUX automata. Also the security property was expressed as intersection emptiness of two-way AC 
automata. From the results in this Chapter, we know that these properties are decidable. 
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Chapitre 11 

VASS etendus et automates avec clauses 
+-push 

(Extended VASS and Automata with 
+-Push Clauses) 


Les clauses push considerees dans les automates bidirectionnels en chapitre 10 ne font appa- 
raitre que des symboles de fonction non equationnels (c’est-a-dire ne contenant pas le symbole +). 
Dans ce chapitre nous etudions les automates avec clauses push contenant +. Pour les traiter, nous 
devons d’abord definir une extension des systemes d’addition de vecteurs a etats (SAVE, ou VASS 
en anglais) [Reu89], que nous appelons VASS etendus (EVASS). Nous montrons que les arbres de 
Karp-Miller definis de sorte a calculer les limites de configurations accessibles des VASS peut se ge- 
neraliser aux EVASS. Grace a des traductions des automates AC en EVASS, nous sonmies capables 
de montrer que les automates que l’on obtient en ajoutant des clauses +-push standard aux automates 
AC unidirectionnels et bidirectionnels se reduisent effectivement aux automates AC unidirectionnels. 
Cependant comme la construction de Karp et Miller (meme pour les VASS) n’est pas primitive re¬ 
cursive, ceci ne nous donne pas un algorithme tractable. A l’oppose nous montrons que dans le cas 
ACU (et non AC), il n’est pas besoin de passer par les EVASS, et nous donnons des reductions eton- 
namment simples des automates obtenus par l’ajout de clauses +-push standard aux automates ACU 
unidirectionnels et bidirectionnels vers les automates ACU unidirectionnels. En ce qui concerne les 
clauses +-push, qui sont strictement plus expressives que les clauses +-push standard, et bien que 
ces clauses puissent etre trivialement eliminees des automates ACUX et ACUM, le test du vide pour 
les automates contenant ces clauses modulo ACU est au moins aussi difficile que le probleme de 
l’accessibilite des VASS ou des reseaux de Petri, qui est un probleme bien connu pour etre difficile. 
Nous montrons que le probleme du vide de l’intersection pour cette classe d’automates se reduit au 
probleme du vide pour la meme classe d’automates, ce qui donne une indication du pouvoir expressif 
des clauses +-push. Ceci suggere que les automates AC et ACU avec clauses +-push sont difficiles a 
traiter, et la question de leur decidabilite est aujourd’hui ouverte. 
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We saw in Chapter 6 that general two-way automata have undecidable emptiness problem for 
theories ACU, AC, ACUB and ACUM. This led us to study a restricted class called two-way auto¬ 
mata, and we showed that two-way automata can be effectively reduced to one-way automata modulo 
all our theories except AOJI. The two-way automata are obtained from one-way automata by adding 
free push clauses of the form 


P(xi) 4= Q(f (xi, A P 1 (x il ) A ... A Pk{x ik ), 

/being free, 1 < h,...,i k <n,ie {l,...,n} \ {ii,...,4} 

Note that one of the side-conditions in the above clause is that / is free. In particular we have not 
studied till now the properties of automata which have push clauses involving the symbol +. While 
the class of automata studied in Chapter 10 arc sufficient for modeling cryptographic protocols, as 
illustrated by the example in Chapter 5, it is natural to ask what properties the automata have in the 
presence of push clauses involving the +-symbol. We introduced two-such clauses in Chapter 3 : 


P(x) 4= Pi(x + y) A P 2 (y) 

P{x ) <= Q(x + y) 

which we called +-push clause and standard +-push clause. In this chapter we study the automata 
obtained by adding these kinds of clauses. To deal with certain classes of these automata, in particular 
automata modulo AC containing standard -(--push clauses, we need to define and study an extension 
of the traditional notion of Vector Addition Systems with States (VASS). This extension is obtained 
by adding a new form of transition rule which makes the runs branching tree-like structures instead 
of lineal - ones. We show that the Karp-Miller tree construction for VASS can be extended to deal 
with the extended VASS, to get extended Karp-Miller trees. This allows us to compute the ‘limits’ of 
reachable configurations in an extended VASS. We then use these results on extended VASS to show 
decidability and closure properties of our automata. 

First it is easy to observe that -(--push clauses are more expressive than standard -(--push clauses. A 
standard +-push clause P(x) -4= Q(x+y) can we coded using the clauses P(x) -4= Q(x+y) f\Q a ii{y) 
where Q a u is a new state, together with a set of clauses which allow Q a u to accept all terms built from 
our signature. 

Hence if we know how to deal with -(—push clauses in our automata, then we know how to deal 
with standard +-push clauses. This is possible at least for two theories, namely ACUX, the theory of 
xor, and ACUM, the theory of Abelian groups. In the xor case, observe that for any terms s, t, u we 
have s + t =acux u 44 s =acux u + t. Asa result, the +- push clause P(x) -4= P\(x + y) A P 2 {y) 
can be replaced in an ACUX automaton by the +-pop clause P(x + y) 4= P\ (x) A P 2 (y) without 
changing the language accepted modulo ACUX. Hence 

Observation 12 Modulo the theory ACUX, an automaton which contains two-way (resp. one-way) 
ACUX automata clauses as well as +-push clauses, can be converted in linear time to an equivalent 
two-way (resp. one-way) ACUX automaton. 

In the case of Abelian groups theory, for any terms s, t, u we have s+t =acum u44-s = u+(—t). 
Hence the +-push clause P(x) -4= P\{x + y) A P 2 (y) can be replaced in an ACUM automaton by 
the pair of clauses P 2 (—x) -4= P 2 {x) and P(x + y) 4= I J \ (x) A P 2 {y), for some fresh predicate P 2 , 
without changing the language accepted modulo ACUM. Hence 
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Observation 13 Modulo the theory ACUM, an automaton which contains two-way (resp. one-way) 
ACUM automata clauses as well as +-push clauses, can be converted in linear time to an equivalent 
two-way (resp. one-way) ACUM automaton. 


11.1 ACU Automata with Standard +-Push Clauses 

We showed above that +-push clauses (and consequently the standard +-push clauses) arc redun¬ 
dant in the case of the theories ACUX and ACUM, and that these clauses can be easily eliminated 
from our automata. We now come to the theories AC and ACU for which the situation is rather dif¬ 
ferent. First in this section we deal with one of the simpler cases : the case of one-way ACU automata 
extended by adding standard +-push clauses. We show that adding standard +-push clauses to one¬ 
way ACU automata does not increase their expressiveness, and that they can be effectively eliminated. 
Let the signature be £ and let +, 0 G £ and — £. 

First we show that it is easy to decide emptiness of a state in such an automaton. This is done by 
Algorithm 1 which computes the set of all reachable (or non-empty) states in an automaton A which 
contains one-way ACU automata clauses and standard +-push clauses. It works in a way similar' to 
the algorithm for computing the set of reachable states of one-way automata. Recall that the algorithm 
for computing the set of reachable states in a one-way (equational) automaton works by marking all 
the reachable states. Initially all the states all are unmarked. If there is a pop clause or an epsilon 
clause C such that all states in the body of C are already marked, then the algorithm marks state in the 
head of C. Algorithm 1 extends this algorithm by treating standard push clauses just like pop clauses 
and epsilon clauses, i.e. if the state in the body of a standard +-push clause is already marked, then 
the algorithm marks the state in the head of the clause. 

To prove termination of the algorithm, observe that at the end of each iteration of the Repeat- 
Until loop, if State Added = True , then it means that at least one new state was added in the set 
Reachable. Since there are only finitely many states in A, Algorithm 1 is guaranteed to terminate. 

Now we show that each state in the output of Algorithm 1 is reachable in A/ACU. Clearly if P(0) 
is a clause then P is reachable. Next we argue that if P G Reachable after any number of iterations 
of the Repeat-Until loop, then P is reachable in A/ACU. Consider one iteration of this loop. We 
know that if a free pop clause P{f(x i,..., x n )) -F= Pi(x\) A ... A P n {x n ) £ A and P\,, P n are 
reachable in A/ACU, then P is reachable in A/ACU. Hence the states added to Reachable using the 
first For loop inside the Repeat-Until loop are actually reachable. Si mi lar arguments hold for +-pop 
clauses and epsilon clauses. Now if a standard +-push P(x) -4= Q(x + y) £ A and Q is reachable, 
then we have some term t which is accepted at A/ACU. Then using this clause, t is also accepted 
at P. Hence P is also reachable. Thus the states added to Reachable using the last For loop of the 
Repeat-Until loop are reachable. Hence we have shown that each state in the output of Algorithm 1 
is reachable. 

Algorithm 1 computes all the states that are reachable in A/ACU because if there is a derivation 
7r in A/ACU which leads to some term term being accepted at P. then the clause C used by n as the 
last clause has P in the head, and for every P' in the body of C. there is a derivation strictly smaller 
than 7r which leads to some term being accepted at P'. Hence using an inductive argument we can 
show that all states reachable in A/ACU are computed by the algorithm. We conclude that 

Lemma 54 The emptiness of a state in A/ACU, where A is an automaton modulo ACU containing 
one-way ACU automata clauses and standard +-push clauses is decidable is decidable in polynomial 
time. 



148 


CHAPITRE 11. VASS ETENDUS ET AUTOMATES AVEC CLAUSES +-PUSH 


Algorithm 1 Reachable States of Automata Modulo ACU Containing One-Way ACU Automata 
Clauses and +-Push Clauses 

# Input: automaton A modulo ACU, on signature E, and containing 

# one-way ACU automata clauses and standard +-push clauses 

# Output: a set of states 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 

# 


Reachable := 0; 

For each zero clause P(0) G M 

Reachable := Reachable U {P} ; 

Repeat 

StateAdded := False', 

For each free pop clause P(f(x i,... ,x n )) 4= p (xq) A ... A P n {x n ) G -4 
if {Pi,... , P«} C Reachable and P ^ Reachable 

then 

Reachable := Reachable U {P} ; 

StateAdded := True', 

For each +-pop clause P(x + y) Pi(x) A P 2 (y) G .4 
ifPi,P 2 G Reachable and P ^ Reachable 

then 

Reachable := Reachable U {P} ; 

StateAdded := True', 

For each epsilon clause P(x) <^= Pi(x) G .4 
if Pi G Reachable and P ^ Reachable 

then 

Reachable := Reachable U {P} ; 

StateAdded := True', 

For each standard +-push clause P(x) A= Q(x + y) G *4 
if Q G Reachable and P ^ Reachable 

then 

Reachable := Reachable U {P} ; 

StateAdded := True', 

Until (StateAdded = False ); 

Return Reachable ; 


Note that the key idea in this algorithm which makes it work is that fact that if P[x) Q{ x + y) 
is a clause, and Q is reachable in .4/ACU then we can conclude that P is reachable in Al/ACU. This 
is because we can instantiate the variable y in the above clause to the term 0. Hence the presence 
of an unit for the + symbol is crucial for the correctness of this algorithm. Observe that the same 
algorithm becomes incorrect when the theory we arc working with is AC instead of ACU. Hence 
the correctness of this algorithm is strongly dependent on the equational theory, as against the usual 
reachability algorithm for one-way equational tree automata which works for all equational theories. 
Still we prove later that emptiness is also decidable for one-way AC automata extended by adding 
standard +-push clauses. 

Now we show that one-way ACU automata extended with standard +-push clauses can be reduced 
to one-way ACU automaton. Let A be a one-way ACU automaton, together with standard +-push 
clauses, on signature S. Let P be the set of predicates in A. We now construct a one-way ACU 
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automaton B (without standard +-push clauses) equivalent to A. Because of Lemma 54, we can 
assume the no state in P in empty in .4/ACU, otherwise we can (effectively) remove that state (an 
related clauses) from the automaton. (If the final state of A itself is empty, then we let B be trivial 
one-way automaton which has no clauses.) To compute the required one-way automaton we need new 
predicate symbols A ' for each predicate FeP. For s, t G T (E) define 

s < + t iff s + u =acu t for some u G T(E) 

For P € P, we intend P to accept the same language in both A and B, whereas we intend P ' 
to accept all terms s such that s <+ t for some term t accepted at P. We define the automaton B to 
contain clauses corresponding to clauses of A as defined by the following table : 


Clause of A 

Clauses of B 

P( o) 

m 
pH o) 

P(x) -4= P\{x) 

P{x) 4 = P\{x) 
p\x) 4= pj(x) 

P{x + y) 4= Pi(x) A P 2 (y) 

P(x + y) <4=- Pi(x) A P 2 (y) 

P\x + y) 4= (x) A P -2 (x) 

(*^1) • • • i «^n)) ^ A ... A-P 'n{pCn) 

(/ is free) 

P(.f {x \, • • •, x n f 4= P\ (xi) A ... A P n {x n ) 
PHf(x l, • • -,x n )) 4= Pi(xi) A ... A P n (x n ) 

pHo) 

P{x) 4= Q(x + y) 

P{x) 4 = Q^(x) 

PH X ) <= Q\x) 


The relationship between A and B are stated by the next two results : 

Lemma 55 If P(t) is derivable in A /ACU then P(t) is derivable in B /ACU and for all s < + t, 
P'l’(s) is derivable in B/ ACU. 


Proof: We do induction on the size of the derivation it of Pit) in .4/ACU. We have the following 
cases : 


(i) 


- = m (P(0)/ACU) 


Clearly t =aqu 0. We have the derivation 


-(P(0)/ACU) 

P(t) 

in £>/ACU. Also if s <_|_ f then s =acu 0- We have the derivation 


in £>/ACU. 
(ii) 


P\s) 


(pt(0)/ACU) 


7T = Pi(fi) 

(P(x) 4= P 1 (x)/ ACU) 
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Clearly t =acu A- By induction hypothesis we have a derivation 7Ti of P\ (A ) in B/ACU. 
Hence we have the derivation 


7Tl 

Pi (A) 

——(PW^P^x)/ ACU) 

in P/ACU. Also if s <+ t then s <+ t\ and by induction hypothesis we have a derivation 7r 2 
of P\ (s) in P/ACU. Hence we have the derivation 


in P/ACU. 
(iii) 


vr 2 


P}(s) 

P\s) 


(pt(x) <= pf(x)/ACU) 


7T — Pi (A) P 2 (t 2 ) 

—--- (P(x + y)^ P 1 (x) A P 2 (r/)/ACU) 

P\t) 

Clearly t =acu A + A- By induction hypothesis we have derivations 7Ti and 7r 2 of Pi (A) and 
P 2 (A) respectively in P/ACU. Hence we have the derivation 


7Tl 7T 2 

Pi (A) P 2 (A) 

—---- (P(x + y) <= Pi(x) A P 2 (y)/ACU) 

P(t) 

in P/ACU. Also if .s < + t then we have some terms si and s 2 such that s =acu *1 + A and 
-S1 < + t\ and s 2 < + t 2 . By induction hypothesis we have derivations 713 and 714 of P \ (si) and 
P 2 ( , s 2 ) i n P/ACU. Hence we have the derivation 


in P/ACU. 
(iv) 


7T 3 7T 4 

p\{si) Pl(s 2 ) . + + 

4- - -(^(s + y) <= Pl(x) A P 2 (y)/ACU) 

P T (s) 


7T = Pi(A) ... Pn(A) 

m 


(P(f(x i,...,x n )) 4= Pi(xi) A ... A P n (x n )/ACU) 


where / is free. Clearly t =acu /(A ■ • • • An)- By induction hypothesis we have derivations 
7Ti,..., 7r n of Pi (A), • • •, P n {t n ) respectively in P/ACU. Hence we have the derivation 


71"1 TTn 


Pi (A) ••• Pn(A) 


(P(f(x 1 , • • •,£„)) «= Pi(xi) A ... A P n (x„)/ACU) 
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in 8/ACU. Also if s <+ t then either s =acu 0 or 8 =A€U t. We have the derivations 

(P'(0)/A€U) 

and 


7Ti 


TTr, 


Pi (t\ 


Pn{t r 


P\t) 


(P\f(x 1 ,.. .,x n )) 4 = Pi(xi) A ... A P n (x n )/ACU) 


in 8/ACU. Hence both the cases mentioned above arc taken care of. 


(v) 


7T = Q(tl) 

— (P(x)^Q(x + y)/ ACU) 

P(t) 

This is the most interesting case. Clearly t < + t\. Hence by induction hypothesis we have a 
derivation tt\ of QUt ) in 8/ACU. Hence we have the derivation 


TTl 

QHt) 

— (P(x) 4= Qt (x) /ACU) 

Also if s <+ t then s <_|_ f \ also. By induction hypothesis we have a derivation tt 2 of QT(.s) in 
8/ACU. Hence we have the derivation 


in £>/ACU. 


vr 2 


Q\ 2) 

pH*) 


(Pt( x ) <= Qt( x )/ACU) 


We now state the converse : 


□ 


Lemma 56 For FgP 

(i) If P(t) is derivable in 8/ ACU then P(t) is derivable in A/ACU. 

(ii) If P^(t) is derivable in 8/ ACU then for some s we have t < + s and P(s) is derivable in 
A/ACU. 

Proof: We prove results (i) and (ii) simultaneously by induction on derivations ir in 8/ACU. We 
have the following cases : 

(i) 

- = m (P(0)/ACU) 

where P 6 P. Clearly t =acu 0. Then we have the derivation 


— (P( 0)/ACU) 


in A /ACU 
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(ii) 


7r = ^) (jPt(0)/ACU) 


where the clause P'( 0) is in B coiTesponding to the clause P(0) of A. Clearly t =acu 0- Then 
we have the derivation 


in A/AOJ. 

(iii) 


— (P(0)/A<CU) 


7T = Pl(fl) 

-(P(x) 4 = Pi(x)/ACU) 

P(t) 

where P, Pi e P. Clearly t =acu A- By induction hypothesis we have a derivation of P\ (A ) 
in A/ACU. Hence we have the derivation 


(iv) 


-Pi (A) 

(P(x) 4= Pi(x)/ACU) 


7r = 


-Pi (A) 

P f (f) 


(Pt(x) <= pf(x)/ACU) 


where the clause P^(x) 4= pj(x) is in B corresponding to the clause P(x) <4= P\(x) of A. 
Clearly £ =acu A - By induction hypothesis we have some s such that A < + s and we have a 
derivation 7Ti of P\ (A) in A/ACU. Then t < + s and we have the derivation 


in .4/ACU. 
(v) 


Pi (a) 

—— (P(x) 4= Pi (x) /ACU) 
P(s) 


7T — Pi (A) P 2 (A) 

—- -—4 (P(x + y)^ Pi(x) A P 2 (y)/ACU) 

P(t) 

where P, Pi, P 2 € P. Clearly t =acu A + A- By induction hypothesis we have derivations 7Ti 
and 7r 2 of Pi (A) and P 2 (£ 2 ) in A/ACU. Hence we have the derivation 


7Tl 7T 2 


7T = Pi (A) P 2 (A) 

P(A 


(P(x + y) <= Pi(x) A P 2 (y)/ACU) 
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(vi) 


vr = pt (tl) ptfo) 

P\t) 


(pt(x + y) <= Pf(x) A P^/ACU) 


where P, Pi, P2 € P. Clearly t =acu A + A- By induction hypothesis we have some ,S] and 
S 2 such that t\ < + si, A <+ s 2 and we have derivations tt\ and tt -2 of Pi(si) and pjA'2) 
respectively in Al/ACU. Then clearly t < + si + S 2 and we have the derivation 


in^l/ACU. 

(vh) 


7Ti 7T2 

7T = Pl(si) -fM^) 

—-1-1 (P( x + y) 4= Pi(x) A P 2 (y)/ACU) 

P(si + s 2 ) 


7T = Pi(A) ... P n {tn) 

m 


(P(f(x i,...,x n )) 4= Pi(xi) A ... A P„(x n )/ACU) 


where / is free and P, P\...., P n G P. Clearly t =acu /(A, • • •, t n ). By induction hypothesis 
we have derivations 7Ti,..., ir n of Pi (A), • • •, P n (A) respectively in .4/ACU. Hence we have 
the derivation 


TL U). 


Pi (A) ••• Pn(A) 

P(t) 


(P(/(x 1 ,... ,x n )) <t= Pi(xi) A ... A P n (x„)/ACU) 


in^/ACU. 

(viii) 


7T = Pi(A) ... Pn (tn) 

FT 


(p f (/(xi,... ,x n )) -*= Pi(xi) A ... A P n (x n )/ACU) 


where P, P\,... ,P n G P. By induction hypothesis we have derivations tt 1 ,..., n n of Pi (A), • ■ •, P n 
respectively in A/ACU. We know that i < + f and also we have the derivation 


7I"l 


Pl( A) ••• ^n(Ai) 

P(i) 


(P(/(x 1 ,... ,x n )) <1= Pi(xi) A ... A P„(x n )/ACU) 


in Tl/ACU. 
(ix) 


„ = (p'(°)A cu) 


where the clause pt(0) is in B coiTesponding to the clause P(/(x 1 ,..., x n )) -4= Pi(xi) A... A 
P n (x n ) in A. Clearly t =acu 0- Since we assumed that each state in A is non-empty hence 
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we have terms t \,..., t n such that we have derivations 7Ti,..., n n of atoms P\ (t\ )...., P n {t n ) 
respectively. Clearly t < + f(t \,..., t n ) and we also have the derivation 


7I"l 7T n 


Pl{tl) ••• P n (tn ) 


{P{f{x 1 ,... ,x n )) <t= Pi(xi) A ... A P n (x„)/ACU) 


in aI/ACU. Next we have the two most interesting cases (x) and (xi). 

(x) 


7T = Q t {t 1 ) 

(P(x) 4= Qt(x)/ACU) 

where P, Q 6 P. Clearly t =acu A- By induction hypothesis we have some s such that t \ < + s 
and there is a derivation 7Ti of Q(s) in Al/AOLJ. Since t < + s we have the derivation 

7Ti 

Q(s) 

-- (P(x) 4= Q(x + y)/ ACU) 

P(t) 

in Al/AOJ. 

(xi) 


^ = Q\t i) 


P\t) 


(P\x) 4= Q\x)/ ACU) 


where the clause P^ ( x ) <^= Q^ ( x ) is in B coiTesponding to the clause P(x) -4= Q(x + y ) in A. 
Clearly t =acu A ■ By induction hypothesis we have some s such that 1 1 < + s and we have a 
derivation 7Ti of Q(s) in Al/AOJ. We have t < + s. Hence we have the derivation 


Ttl 

Q{s) 

-—(P( X )<=Q( X + y)/. ACU) 

P(t) 


in Al/ACU and we know that t < + t. 


□ 

Now if the final state of Al is P then we name P to be also the final state of B. From Lemmas 55 
and 56 we have £(Al/ACU) = £(H/ACU). We conclude that 


Theorem 38 The automata modulo ACU containing one-way ACU automata clauses and standard 
A-push clauses can be converted in polynomial time to one-way ACU automata accepting the same 
language. 


The construction described above takes linear time. This construction is based on the assumption 
that the empty states of the automaton have been already removed. This step can be carried out in 
polynomial time by Lemma 54. 
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While we arc able to do the above construction for ACU theory in linear time, these ideas fail 
to work in the case of AC (even after the assumption that all the empty states of the automaton 
have already been removed.) It is actually an open question whether such a translation can be done 
for AC theory in linear time. We now explain why the above ideas fail in the case of AC theory. 
Define an operator Cl as Cl(S) = {s | 3t E S ■ s <+ t}. In the ACU case, a standard +-push 
clause P(x) <= Q(x + y) intuitively tells us to accept at P the terms in Cl(S) where S is the set 
of terms accepted at Q. In the above construction, the states Q ' accept the terms in Cl(S) where 
S is the set of terms accepted at Q. The operator Cl has the nice properties that S C Cl(S) and 
Cl(Cl(S )) = Cl(S). This justifies the translation of the clause P(x) -4= Q{x + y) in the automaton 
A above by the pair of clauses P(x) -4= Q^{x) and P\x) -4= Q\x). 

However in the AC case the situation is somewhat different. Here we need to define an operator 
Cl' as Cl'(S) = {s | 3t E S ■ 3u ■ s + u =ac t}. Then a standard +-push clause P(x) <1= Q(x + y) 
intuitively tells us to accept at P the terms in Cl'(S) where S is the set of terms accepted at 0. We 
don’t have the property S C Cl'(S) since we don’t have an unit symbol for the + operator. Neither do 
we have the property Cl' {Cl' {S)) = Cl'(S). As an example if all the free symbols in the signature are 
constants, then Cl'(S) contains all those terns which are obtained by removing at least one symbol 
from some term in S. Cl'{Cl' (5)) contains all those terms which are obtained by removing at least 
two symbols from some term in S. Hence there is some kind of counting implicit in the Cl' operator, 
which makes it difficult to define clauses clauses corresponding to states of the form Q ' such that Q 1 
accepts the terms in Cl'{S) where S is the set of terms accepted at Q. 

In order to solve the problem in the AC case, we take a detour through an extension of Vector 
Addition Systems with States (VASS) defined and studied in the next section. 


11.2 Extended VASS 

We first try to motivate our study of VASS and its extension by giving some ideas as to how they 
arc connected to equational tree automata. Vector Addition Systems with States (or VASS) can be 
thought of as automata on tuples of natural numbers. A VASS has a finite number of states each of 
which accepts a set of tuples. First of all we fix a number p E N for the rest of this section, so that we 
will be interested in (extensions of) VASS which accept tuples from N p . Now observe that if we have 
an AC or ACU automaton on a signature in which the set of free symbols arc exactly the constants 
ai,..., a p , then the terms on this signature can be thought of as tuples from N p . Hence it is natural to 
think of possibilities of translation of our automata to VASS. To be more precise : 

Definition 9 (VASS) A Vector Addition System with States (VASS) consists of a finite set of states 
and a finite set of transitions of the form Q ——^ q' where q and q' are states and v E TP. Configura¬ 
tions of a VASS are of the form q{o) where q is a state and o E N p . A VASS in addition has an initial 
configuration. 

Intuitively the transition q ——— q' says that if u\ E W is accepted at q and u\ + v E N p 
then u\ + v is accepted at q'. Thus moves of the VASS arc defined by the binary relation —► where 
q(u \) — r q'{of) iff for some transition q — q' we have u\ + v = i^. (As mentioned above, we 
assume u\ , u -2 E N p .) Its reflexive transitive closure —U is the reachability relation on configurations. 
Configurations reachable from the initial configuration arc said to be the reachable configurations of 
the VASS. 
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Now if we tty to translate our automata to VASS, then a simple clause q'(x) <= q(x+a,i) can easily 
be translated by the clause Q — q' with u = (0,..., 0, — 1,0,..., 0) where the ‘—1’ is put in the 
zth component of u. The clause intuitively tells us to delete a constant a* from some term accepted 
at q and the resulting term is accepted at q' . Deleting a* from a term corresponds to subtracting 1 
from the zth component of a tuple. Now a standard +-push clause P(x) <= Q(x + y) in the AC case 
simply tells us to delete arbitrary number of (but at least one) constants from some term accepted 
at Q and the resulting term is accepted at P. Such a clause can easily be expressed using clause 
of the form q'{x) <= q(x + af) by having a loop. Similarly an epsilon clause q'{x) <= q(x) is 
translated as q'{x) -4= q(x + af) where u = (0,... ,0). A clause of the form q'{x + a) <= q{x ) 
which is a restricted version of the +-pop clause, can be translated as the transition q — —q with 
v = (0,..., 0,1,0,... , 0) where the ‘1’ is put in the zth component of u. Note that some care needs 
to be taken in the translation described above if we are working modulo AC in order to avoid deriving 
the ‘0’ term, which corresponds to the tuple (0,..., 0). 

However the main problem occurs when we try to translate +-pop clauses of the form P(x + y) <= 
P\(x) A Ifiy). Such a clause has no obvious translation to the transitions of VASS described above. 
If we tty to equate the derivable atoms of our automata with the reachable configurations of a VASS, 
then observe that the derivations in our automata are branching tree like structures (precisely because 
of the +-pop clauses) whereas a VASS can be thought of as being able to move in a linear fashion 
from one configuration to another. It is to deal with such clauses that we define an extension of VASS 
in Definition 10 below. Observe also that we have changed our representation slightly so that the 
transitions are now written in the form of clauses, which makes them look more like our automata. 

Definition 10 (Extended VASS) An extended VASS V is a set of clauses of the form 


P(y), ueW 

(11.1) 

P{x + v) <= Pi (x ), v G IT 

(11.2) 

P(x + y) <s= Pi{x) A P 2 (y) 

(11.3) 


where P, P\, P -2 are predicates. 

Clauses (11.1) are called constant clauses. Clauses (11.2) are called constant-addition clauses. Clauses 
(11.3) are called addition clauses. 

We clarify that for our discussion, P(x + y) <= P\(x) A P 2 (y), P{x + y) <= P 2 (x) A P\{y), and 
P(y + x) a= P\(x) A P 2 (y) arc three different notations for the same mathematical object. 

Definition 11 (Configuration) Configurations are of the form P{v) where u e N p . Generalized 
configurations are of the form P{y) where a £ (N U {oo}) p . 

For i < i < p, u(i) denotes the zth component of za If I = {ii,..., i n } where 1 < i\ < ... < i n < 
p then u(I) = ..., v(i n )). 

Definition 12 (Derivation in Extended VASS) The set of configurations which are derivable in an 
extended VASS V is defined inductively as 

1. If P(y) is a constant clause then P{y) is derivable in V. 

2. If Pi (ui) is derivable in V. P(x + a) <^= P\ (x) is a constant-addition clause, and ui + v > 0, 
then P(v\ + v) is derivable in V. 
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3. If -Pi(z'i) and ^(z^) are derivable in V, and P{x + y) <= P\{x) A P- 2 {y) is an addition clause, 
then P(y i + vf) is derivable. 

In the last rule, it is guaranteed that u\ > 0 and V 2 > 0, hence v\ + a 2 > 0. We will simply say 
that a configuration P(u) is derivable, when the extended VASS involved is obvious. The constant- 
addition clauses of the form Fix + v) P 1 (x) coiTespond to the transitions P\ —-—- p in VASS. 
While this is the only kind of transition in VASS, in EVASS, we have the addition clauses (11.2) 
for which there is no equivalent in VASS. To make the translation from VASS to EVASS complete, 
if initial configuration of the VASS is q(v ) then we add the constant clause q(u) to the translated 
EVASS. In this way the set of reachable configuration of the VASS is the same as that of the EVASS 
we get from this translation. Hence a VASS can be thought of as an EVASS which has no addition 
clause and which has exactly one constant clause. 

Next we are going to extend the notion of Karp and Miller trees for our extended VASS’s. This 
poses some complications. A path in the Karp and Miller tree for a VASS corresponds to a path in the 
VASS. For extended VASS’s, instead of paths, we have the corresponding notion of derivation, which 
is actually a tree like structure (because of the addition clauses) instead of a sequence. Hence the 
structure corresponding to Karp and Miller frees would be a free like structure branching in upward as 
well as downward direction, which would be cumbersome to reason about. To simplify the presenta¬ 
tion, we have broken the construction into two phases. First we define a notion of covering derivation 
which is a free structure and vaguely corresponds to the finite paths of Karp and Miller trees. We do 
all our reasoning on these derivations, instead of reasoning on a structure containing all such deriva¬ 
tions. Finally we just show that there arc only a finite number of such derivations, by showing how to 
construct a (finite) forest of all such derivations. This last step corresponds to the result that the Karp 
and Miller trees for VASS’s arc finite. (We have a forest instead of a tree because we have arbitrarily 
many constant clauses, whereas in VASS’s we consider a single stalling configuration). 

Definition 13 (Covering Derivation) Assume fixed an extended VASS V. A covering derivation 5 is a 
finite tree, each of whose nodes is labeled with a generalized configuration and a clause, constructed 
using the following rules : 

1. If P(y) is a constant clause then the tree with a single node N labeled with the generalized 
configuration P(y) and with the same clause is a covering derivation. 

2- If 

- there is a covering derivation 5\ whose root is labeled with generalized configuration 
Pi(vi) 

- there is no other node in <5i labeled with generalized configuration P\{yf) 

- there is a clause C = P(x + u 2 ) <= P\(x) 

- vi + z / 2 > 0 

then the tree whose root N is mapped to the clause C and generalized configuration P{y), and 
has as unique child Si, is a covering derivation, where u(i) is defined for each 1 < i < p as 
follows : 

(a) If there is some node N' in <5i labeled with the generalized configuration P(z/) such that 

v' < + V 2 and v'(i) < v\(i) + (*)> then u(i) = 00 . 

(b) Otherwise u{i) = v\ (i) + 02 ( 1 ). 
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3. If 

- hi is a covering derivation whose root is labeled with generalized configuration P\(o\) 

- no other node in 5\ is labeled with the generalized configuration P\(o\) 

- 5-2 is a covering derivation whose root is labeled with generalized configuration Pj ( o 2 ) 

- no other node in 62 is labeled with P 2 (o 2 ) 

- there is a clause C = P(x + y) P\(x) A P 2 (y) 

then the tree whose root N is labeled with clause C and generalized configuration P(o), and 
has two children hi and 62 , is a covering derivation where o(f) is defined for each l < i < p 
as follows : 

(a) If there is some node N' in A 1 or 62 , labeled with a generalized configuration P(o'), such 

that o' < v\ + o 2 and v '(f) < o\(i) + (*)> then o(f) = 00 . 

(b) Otherwise o(f) = o\(f) + 02 (i). 

Intuitively, covering derivations compute ‘limits’ of configurations derivable in an extended VASS. 
This is made precise by Theorems 39 and 40 below. 

Theorem 39 Let V be an extended VASS. If a configuration P(o) is derivable, then there is a covering 
derivation 5 with root labeled with some generalized configuration P(o') such that for all 1 < i < p, 
if o' (f ) < 00 then P(i) = o(f). 

Proof: We do induction on the size of the derivation of P(o). We have the following cases : 

(i) If P(o) is derivable using the constant clause Pin), then by using Rule 1 of Definition 13, 
we have a covering derivation <5 with root labeled with configuration P(o) which satisfies the 
requirements. 

(ii) Suppose P(o\ + 02 ) is derivable from the derivation of P\ (u\ ) using the clause P(x + 02 ) <= 
Pi (x). By induction hypothesis we have a covering derivation <5i, with root labeled with some 
Pi{o[) such that if v\ (i) < 00 then u\ (i) = u\ (i). We pick a minimal such A. Consequently no 
other node in hi is labeled with P\ {v\) (otherwise we would have picked the covering derivation 
rooted at the latter node instead.) Clearly we have v \ + ix 2 > 0 and hence o' l + V 2 >Q.Ry using 
Rule 2 of Definition 13, we get a covering derivation 5 with root labeled by a generalized 
configuration P(o') with the property that if off) < 00 then u'(i) = if if) + 1 x 2 ( 1 ). But then if 
o'(i) < 00 then o[ (i) < 00 and hence o[(i) = v\(i), so v'(i) = 7^1 (i) + V 2 (i). Hence 5 is the 
required covering derivation. 

(iii) Suppose P(o\ + 02 ) is derivable from the derivations of P\ (o\) and f 2 ( ix 2 ) using the clause 
P(x + y) P 1 (x) A If ('!))■ By induction hypothesis, we have covering derivations hi and 
82 with roots labeled with l’\ ( v\) and f 2 ( lJ ( 2 ) respectively such that for all i, if u\ (?) < 00 
then o[d) = v i(*), and if o' 2 (i) < 00 then o^if) = 02 (f)- As in the previous case we may 
assume that no non-root node in hi is labeled with the generalized configuration Pi(o() and no 
non-root node in c >2 is labeled with the generalized configuration fh( o(>)■ By using Rule 3 of 
Definition 13, we get a covering derivation h with root labeled by a generalized configuration 
P(o') with the property that if o'(i) < 00 , then o'(i) = o[ (i) + o' 2 (i). But then if o'(i) < 00 , 
then o' 1 (i),o' 2 (i) < 00 , and hence o[(i) = o\(i) and o 2 (i) = 02 (f), implying that o'(f) = 
o\(i) + 02 (f). Hence h is the required covering derivation. 

□ 
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Definition 14 (Linear Path) Assume fixed an extended VASS V. a linear path n is a sequence of nodes 
N n for some n > 1, and edges eifrom TV,; to Ni + i for 1 < i < n, with each Ni labeled by a 
predicate P. L , each e, being labeled by 

(i) either a constant-addition clause of the form Pj + i(x + v) -4= Pfx) 

(ii) or by a pair of the form (C , Q{v)) where C is an addition clause of the form Pj + i(x + y) -4= 
Pj(x) A Q(y), and Q{u) is derivable in V. 

In both cases (i) and (ii) in Definition 14 we say that the valuation of the edge is v(e) = v. The 
valuation of the lineal - path is defined as u(7r) = 'E\<j <n v(e t ). We also say that 7r is a linear path from 
P\ to P n . We sometimes denote 7r as 

P —L P P e n — l „ 

1 1 * Pi * •■•Pi— 1 * Pi 

If 


7 T i= Pl %P 2 % ... P n _i S P 1 P n 


and 


P t e n +1 p e n+m-1 p 

n+1 * • • • Mi+m-1 * n+m 


TT2 = Pn 

then we define the concatenation of ir\ and 7T2 as the lineal - path path 


ZD ZD ^2 

7ri7r 2 = h i -i P-2 


p en-l p 

•-*n—1 f r n 


P , Crt+l p en+m—1 p 

n+1 ^ •••-'n+m—1 * Pi-\-m 


Note that 7ri7T2 is defined only when the last predicate of ni is equal to the first predicate of 7T2- In 
such a case, we clearly have the equality 


u(7ri7r 2 ) = v(lt\) + vfnf) 

Definition 15 (Admissible Linear Path) Given a tuple v 6 (N LJ {oo}) p , the linear path ir is said to 
be admissible for v if for each prefix P of n, we have u + v(P) > 0. It is admissible with respect to 
I C {1, .., ,p} if ( v + v(P))(I) > 0 for all such P . 

Then it is easy to see that if 7r is a linear path from P\ to P n and is admissible for v and P\{v) is 
derivable in V (in which case v would have no infinite coordinate by definition,) then P n {v + v(tt)) is 
derivable. Also if tt\ is admissible for v and 7T2 is admissible for u + v{tt \), then 7Ti7T2 is admissible 
for za 

Example 8 Consider an EVASS with the following set of clauses 

Ci = Pi (2,5) 

C 2 = P 2 (3,4) 

C 3 = P{x + y) 4= Pi(x) A P 2 (y) 

Ca = P\{x + (—2, —4)) 4= P 3 (x) 

C 5 = P^{x + (2, -5)) <1= P 3 (x) 

Some configurations derivable in this EVASS are Pi(2,5),P 2 (3,4),P3(5,9),Pi(2 + n,5),P 3 (5 + 
n, 9),P 2 (3 + 4n, 4) for all n > 0. Figure 11.1 shows an example of a covering derivation for this 
EVASS. Figure 11.2 is an example of a linear path. Note that the configurations P2(3,4) and Pi (50,5) 
are derivable in the EVASS. 
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Pi( oo,5) 
C 4 


P 3 (cx),9) 

Os 




Pi( oo,5) 
C 4 


P 3 ( 5,9) 

Os 



A(2, 5) P 2 (3,4) 

Ci C 2 


P 2 (oo,4) 

C 5 


^ 3 ( 5 , 9 ) 

C 3 



Pit 2,5) P 2 (3,4) 


Ci C 2 


FlG. 11.1 - A covering derivation for the EVASS in Example 8 


Pi 


(C 3 ,P 2 ( 3,4)) 


P, 


C 4 


Po 


C 3 ,Pi(50,5)) 




FlG. 11.2 - A lineal - path for the EVASS in Example 8 
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We require the following auxiliary lemma to prove Theorem 40 which is the most crucial result of 
our discussion on extended VASS’s. 


Lemma 57 Let V be an extended VASS. Let 5 be a covering-derivation such that given any generali¬ 
zed configuration P(rx) occurring in this derivation, we can find a ix' such that 

- P(ix') is derivable 

- for each i E {1, ...,p}, ifix(i ) < oo then ix'(i) = ix(i) 

Suppose that N\. labeled with generalized configuration P\ (u \), is a descendent of N 2 , labeled 
with generalized configuration P 2 (z/ 2 ). bet I be such that for each i E I, 1 x 2 ( 1 ) < 00 . Then we can 
find a linear path ir from P\ to If such that it is admissible for ix\ wrt I and (rx\ + v(n))(L) = 1 x 2 (I). 


Proof: We induct on the distance between the nodes N\ and AT in the tree 5 . We have the following 
cases : 


(i) Suppose the distance is 0 (AT is same as AT). Then the trivial linear path Pi suffices. 


(ii) 


Suppose AT is labeled with clause P 2 (x + 1x4) <^= Pfix) and has child AT, labeled with genera¬ 
lized configuration P 3 (zz 3 ), and N\ is descendent of AA. Clearly we must have (ix 3 + ix 4 ) (L) = 
iX) (fi). Also for al He/, ix.fi) < 00. By induction hypothesis we get a linear path 7r' from P\ 
to P3 which is admissible for v\ wrt /, and such that (;/| + v(n'))(L) = 1x4(I). Let the required 


lineal - path 7 r be the concatenation of 7r' with the lineal' path P 3 


P2{x+va)^P3{x) 


P 2 . We have 


(ix 1 +v(tt))(L) = (ixi+v(tt , ) + z7 4 )(I) = (1x3+124 )(I) = ^(Z). hi particular (i/i+n(7r))(/) > 0 
and hence 7r is admissible for 1x4 wrt L. 


(iii) 


Suppose AT is labeled with clause lf(x + y) P : f x) A Pfix) and has children N : > and N 4 
labeled with P. ( ix>) and Pfiixf) respectively, and without loss of generality N\ is descendent 
of AT. Cleai'ly ^ 2 (/) = (1/3 + 1x4 )(/). Also for all i E I, 1x3(1), ^ 4 (i) < 00 . By induction 
hypothesis we get a linear path rf from P\ to P 3 which is admissible for u\ wrt /, and such that 
(ixi+v(tt'))(I) = 1 x 3 ( 1 ). Also, by assumption we have a ix' 4 such that f 4 ( i/ 4 ) is derivable, and for 
all i, if 1 x 4 ( 1 ) < 00 then ix’ 4 (i) = 1 x 4 ( 1 ). In pai'ticulai' 1 x 4 ( 1 ) = ix' 4 (I). Let the required lineal' path 


{P2(x+y)^P3(x)AP4(y),P4(.ix' 4 )) 


If . This is 


7T be the concatenation of it' with the lineal' path P 3 
a well-defined linear path. We have (ix\ + v(n ))(/) = (ix\ + n(7r') + ix' 4 ) (L) = (1x3 + ix'f )(/) = 
(1x3 + 1x4) (!) = 1x2(1)- In pai'ticulai' (ix\ + v(tr))(L) > 0 and hence 7r is admissible for ix\ wrt I. 


Now we are ready to prove the required result : 


□ 


Theorem 40 Let V be an extended VASS. If there is a covering-derivation 5 with root labeled by the 
generalized configuration P(ix) then for any If > 0 there is a tuple ix' E N p such that 

- for every i, ifix(i ) = 00 then ix'(i) > K 

- for every i, ifix(i) < 00 then ix'(i) = ix(i) 

- P(ix') is derivable 

Proof: We do induction on the size of S. We have the following cases : 

(i) If 6 is just a single node then P(ix) is a constant clause, and the tuple ix' = ix is easily seen to 
satisfy the requirements. 

(ii) Suppose 5 is constructed using the Rule 2 of Definition 13. Let 



162 


CHAPITRE 11. VASS ETENDUS ET AUTOMATES AVEC CLAUSES +-PUSH 


I = {i | v(i) = oo} 
I\ = {> | vi(i) = oo} 
J ={l,...,p}\I 
■h = {1, -,p} \ h 
I a =I\h 


For each i € I a we define a path as follows. By definition of I a we have a node N l in 5\ 
labeled with a generalized configuration P(y l ) such that 

V 1 <V\ + U 2 

and v l {i) < v\(i) + u 2 {i). 

Because of the induction hypothesis, the covering derivation rooted at N\ satisfies the assump¬ 
tions of Lemma 57. Hence from this lemma we get a linear path tt\ from P to P\ which is 
admissible for u l wrt J\ and 

(P + v(ir' i ))(Ji) = 


P(x-\~U2)<=Pl (x) 

Let 7r.j be the linear path obtained by concatenating 7r' with the linear path F\ - —-* P . 

We have 


{v l + v(ni))(Ji) = (; v l + n(7r') + i^ 2 )(Ji) = (^i + ^)(^i) > 0. 

Hence tt,- is admissible for v l wrt J\. Since v l < u\ + //9, tt, is admissible for //] + u-> wrt J\. 
If j £ J, then z/(j) = + v 2 )(j), otherwise by construction of the covering derivation, we 

would have the contradiction that v(j) = oo. But since J C J\, we have 

v{tt i)(J) = 0. 

Also since u l < v\ + u 2 , therefore we have 

v(TTi)(Jl) > 0. 

Since v l (i) < {u\ + z^X*), we have 

v(7Ti)(i) > 1. 


Let 


71 = H-i&IaVi 

where the product operation is concatenation of paths (the order in which the 7r, ’s arc concatena¬ 
ted is not important.) Since each tt, starts from P and ends at P, the linear path tt is well-defined. 
Since o{tt,)(J\ ) > 0 for each i, and each 7r t is admissible for u\ + u 2 wrt J\, it is easy to see 
that 7T is admissible for u\ + u 2 wrt J\. Also we have 


= J2iei a = Eie/„ 0 = °- 

Since v(tT i)(i) > 1 for each i £ I a , we have 

v(tt )(/„) > 1. 

We can again see that 

the path n K is admissible for u\ + v 2 wrt J\ 
v(tt k )(J) = 0 

and v(7T K )(I a ) > (K,...,K). 

Choose a K\ > 0 such that for each prefix tt’ of tt k , we have 

((A' 1 ,...,A' 1 ) + n(7r / ))(/i)>0 

md((K 1 ,...,K 1 ) + v(TT K ))(I 1 ) > (K,...,K) 

Consider K 2 such that 


o 0 ) 
m 
(0 


(/?) 

(7) 




(a) 
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By induction hypothesis we have a v\ such that 

P\ (u [) is derivable (a) 

v{{h)>{K 2 ,...,K 2 ) (b) 

v[(Jl) = Vl(Jl) (c) 

Then we have that P(v[ + v 2 ) is derivable. 

+ v 2 )(Ii) =v[{h) + V2{h) 

> (K 2 , K 2 ) + v 2 (h) by (b) 

> (Ki,Ki). by (a) 


So from (/ 3 ) ir K is admissible for + v 2 ) wrt I\. Since u\ ( J \) = u\ (,J \) so by ( 6 ) tt k is 
admissible for u[ + v 2 wrt J\. Since I\ U J\ = {1,so ir h is admissible for u\ + v 2 . This 
means that P(u[ + v 2 + v(n K )) is derivable. 

(iy[ + v 2 + v(tt k ))(J) ={y[ + v 2 )(J) by(fi) 

= (vi + v 2 )(J) by (c) and since J C J 1 
= u{J). 

(u[ + u 2 + v(ir K ))(I a ) = (vi + v 2 + v(tt k ))(Io) by (c) and since J C J x 

> v(ir K )(I a ) 

>(K,...,K). by (C) 

+ ^2 + v(ir K ))(h) > ((K 2 ,..., K 2 ) + u 2 + v(ir K ))(Ii) by (b) 

> ((Ki ,..., K\) + v(tt r ))(h) by (a) 

>(K,...,K). by ( 7 ) 

Hence the required tuple is z/ = v\ + v 2 + v(" h ). 

(iii) Suppose 5 is constructed using the Rule 3 of Definition 13. Let 

I = {i | v(i) = 00} 
h = {i I vi(i) = 00} 
h = {i | V2 (*) = 00} 

J ={l,...,p}\J 

■h = {1 ■ -,p} \ h 
J 2 = {l,...,p}\I 2 
I a =/\(JiU I 2 ) 

By induction hypothesis we have u\ and v ' 2 such that P\ ( u\) and P 2 (i , 2 ) arc derivable, v\ (i) = 
v\ (i) for all i E J\ and v' 2 (i) = v 2 {i) for all i e J 2 . 

For each i e I a , we define a path tt, as follows. By definition of I a there is a node N l in or 
S 2 , labeled with P(v l ) such that 

v l <v 1 + v 2 

and u l {i) < v\(i) + v 2 {i). 

Let bi € {1,2} be such that N l is in 5 bi . Let 6 * = {1,2} \ {bi}. Because of the induction 
hypothesis, the covering derivation S bi satisfies the assumptions of Lemma 57. Hence from 
Lemma 57 we get a linear path 7 r' from P to P b . which is admissible for z/' wrt J b . and 

(z/ i + n( 7 r'))(J bi ) = v bi (J bi ). 


Let 7 Ti be the linear path obtained by concatenating tt- with the linear - path 
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(P(x+y)^P b .(x)AP^(y),P^(vL-)) 

Pb , - 1 -—^ P ■ 

7Ti is a well defined linear path. We claim that 

7T, is admissible for u\ + z/ 2 wrt J\ n J -2 ■ (k) 

Since J\ D J -2 C J b . , so n • is admissible for z/ wrt .J\ n J 2 and 

(z/ + n(7r'))(Ji n J 2 ) = Pbi{Ji n J 2 ). 

Since 1 4-(<%~) = ^(Jp) an< ^ ^1 n ^2 C Tp, hence 

[y l + v(iTi))(Ji n J 2 ) = ( 1 / + n(7r') + z/-)( Ji n J 2 ) 

= K + ^)W n ^ 2 ) 

= bi + %)(Jl n J 2 ) 

= (*a + n J 2 ) 


Hence we have 

(z/ + n( 7 Ti))(Ji n J 2 ) > 0. (A) 

Hence ?r t is admissible for 7 /' wrt J\ n J 2 . As 7 / < z^i + z/ 2 , so tt, is admissible for u\ + z/ 2 wrt 
Ji n J 2 . This proves claim (k). 

If j G ,7 then z/*(j) = (z^i + t/ 2 )(j), otherwise by construction of the covering derivation, we 
would have the contradiction that v(j) = 00 . Since ./ C ,/| n J 2 , hence by (A), 

n(7Ti)(J) = 0 . 

Also since u l < v\ + z / 2 we have that 

v{iTi)(Ji n J 2 ) > 0. 

Since u l (i) < (z^i + z/ 2 )(i), we have 

v(TTi)(i) > 1. 


Let 


p = n ie / a 7ri 

Since each n * starts at P and ends at P, the linear path zr is well defined. Since t'( 7 r,;)(./| Cl J 2 ) > 
0 for each i, and each tt, is admissible for u\ + z / 2 wrt J\ n J 2 , it is easy to see that zr is admissible 


for v\ + v -2 wrt J\ n J 2 . Also we have 

v(k)(J) = J2i & i a v(bTi)(J) = Eiei a 0 = °- 
Since v(t t*) (z) > 1 for each i e I a , we have 

v(7r)(I a ) > 1. 

We can again see that n K is admissible for v\ + z/ 2 wrt J\ n J 2 , 

v(ir K )(J) = 0 (cr) 

and v(i T K ){I a ) > (K, ..., K). ((3) 

Choose a K 1 >0 such that 

for each prefix zr'of 7r A , ((/Ci,..., ATi) + n(7r / ))(/i U I 2 ) >0 (A) 

and ((Ki, ..., K\) + v(7T K ))(h U I 2 ) > (. K ,..., K). (6) 

By induction hypothesis we have v'{, u” such that 

P\ (z//), P'zip'i) are derivable (a) 

^(/ 1 ),z4 / (/ 2 )>(ic 1 ,...,ic 1 ) (b) 

z/"(Ji) = Z/ 1 (J 1 ) and zC,f(J 2 ) = z^ 2 (J 2 ) (c) 



11.2. EXTENDED VASS 


165 


Then we have that P[y'{ + v'f) i s derivable. Since v'{(I\ ) > (K\, so ( v'{ + ififjil]) > 

(Ki, Similarly ( v'{ + iff)(I 2 ) > {Ki, So we get 

(^ + u / ')(I 1 Ul 2 )>(K 1 ,...,K 1 ). ( 7 ) 

So from (A), we have that ir K is admissible for ifi{ + if) wrt I\ U 1 2 ■ Since if{(J\) = vi{Ji) and 
P 2 (J 2 ) = ^2(^2) so (if^ T z^2) (*^ 161 1/2) = (vi + v 2 )(J\EJ2). Since n K is admissible for v\ + v 2 
wrt J\ n J2, so 7 t k is admissible for v'[ + v" wrt J\ fl J 2 . Since (LiUL 2 )U (Ji fl J 2 ) = { 1 , ...,p} 
so ir K is admissible for if) + iff This means that P(v" + if) + v{tt k )) is derivable. 

Now 

« + ^2 + ))(^) = (^1 + v 2 ){J) by a 

= (i^i + Z7 2 )(J). by (c), and since J C J 1 n J 2 

= »{J) 

(z/" + Z / 2 +v(TT h ))(I a ) >v[lT K )(I a ) 

>(K,...,K) by (3 

{v" + v 2 +v{'K K )){h U/2) > + n(vr A '))(/i U/ 2 ) by 7 

>(K,...,K) bye 


Hence the required tuple is zy' = v'[ + z/ 2 + v{rJ ''). 


□ 


Now we are left to prove that there are only finitely many covering derivations. This is Theorem 41 
below. 


Remark 1 Let V be an extended VASS, 5 a covering derivation, and N\ and N 2 two nodes in 6 such 
that Ni is descendent of N 2 . Let N\ and N 2 be labeled by generalized configurations Pi(z/i) and 
P 2 {y 2 . Then for any i, ifv\(i ) = 00 then u 2 {i) = 00 . 

Lemma 58 Let V be an extended VASS. Given a covering derivation 5 with root node N, and another 
N' in it such that N and N' are labeled with the generalized configurations P(v) and P(u') (same P 
in both cases) such that v' < v. Then u has strictly more infinite coordinates than o'. 

Proof: Assume the contrary. Then from Remark 1, u and ;/ have the same infinite coordinates. 
Clearly 5 must have been constructed by using Rule 2 or Rule 3 of Definition 13. Accordingly we 
have the following two cases : 

- N has a child Aq labeled with generalized configuration P\ (zq ) and N is labeled with clause 
P(x + u 2 ) P\ (x). From Remark 1 we have that u\ has same infinite coordinates as u. Then 
from the construction in Rule 2 of Definition 13, we must have v = u\ + v\. But then we have 
v' < u\ + u 2 and for some i, v'(i) < v\(i) + v 2 (i). Then we must have u(i) = 00 , whereas we 
have v'(i) < 00 because of the fact that z/(i) < v\ (i) + v 2 (i). Hence we have a contradiction. 

- N is labeled with clause P(x + y) 7= Pi(x), P 2 (y) and has children N\ and N 2 labeled with 
l\ (u\ ) and P> ( z/ 2 ). Without loss of generality we assume N' is descendant of N]. Then from 
Remark 1 we have that ;/| and u have the same infinite coordinates. Then from the construction 
in Rule 3 of Definition 13, we have that v = v\ + v 2 . But then we must have if < o\ + v 2 and 
for some i, v'(i) < u\ (i) + v 2 (i). Then we must have v(i) = 00 , whereas we have v'(i) < 00 
because of the fact that u'{i) < o\ (i) + v 2 (i). Hence we have a contradiction. 

□ 

The height H (5) of covering derivation 6 is the height of the corresponding tree. 
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We define a partial order <,] on covering derivations as < 5 1 < r j 5 2 if H(6\) <d H(82 ). Let A be 
any total extension of < c j. e.g. < 5 1 A So iff H (6 1) < II (So) or H (8 \) = H(S 2) and < 5 i IZ So for some 
arbitrary total order C on derivations of the same height. Then it is clear that for any < 5 , there are only 
finite number of covering derivations S' such that S' A S. We define h'i A So iff < 5 i A 62 or 5 \ = So. 

Theorem 41 There are only finitely many covering derivations. In particular they can be effectively 
computed. 

Proof: We will construct a forest of all possible derivations (i.e., each node in this forest will be a 
derivation.) A forest is a finite set of trees, whom we shall call components. This forest is constructed 
iteratively by adding one node at a time, using the following rules : 

1. Each covering derivation constructed using the Rule 1 of Definition 13 is a root node. These are 
the only root nodes, so that we will have only a finite number of trees. 

2. Assume 5 is constructed using the derivation <5i as defined in Rule 2 of Definition 13, and hi 
has been added in the forest, and 5 has not been added. Then we add S as a child of hi. 

3. Suppose hi and 62 have been added in the forest, and h is constructed using them as defined 
in Rule 3 of Definition 13 and has not been added in the forest. Let hi A 62, which we may 
assume wlog, as A is total. Then we add h to the forest as a child of h 2 . 

It is clear that in this way all the derivations are added in the forest eventually. We claim that this 
process ends (i.e. the forest is finite.) Assume the contrary. Since the number of trees is finite, one of 
the trees would be infinite. Call it T. 

We see that the trees arc finitely branching. For any covering derivation h, the number of children 
created using Rule 2 above is limited by the number of clauses, and the number of children created 
using Rule 3 above is limited by the number of clauses times the (finite) number of hi’s such that 
£1 < S. 

Then by Konig’s lemma, there would be an infinite path in T. Consider the corresponding se¬ 
quence of generalized configurations labeling the roots of the derivations. 

First we note that if P\ (u\) occurs (not necessarily immediately) before Po ( u 2 ) in this sequence, 
then it means that there is a covering derivation with root labeled Iff ( 02 ) with some other node in the 
derivation labeled P\(ui). 

Since the number of predicates is finite, we would have an infinite subsequence of the form 
P(v(), P(u' 2 ),... for some P. Then we can find a subsequence P(y \), P{y 2 )i ... such that u t < v l+ \ 
for all i, since < is a wqo on (N U {oo}) p , an easy consequence of Dickson’s lemma. 

We cannot have a, = u 1+ \. Otherwise it would mean that the derivation 6 corresponding to 
P(yi + \) has a non-root node labeled with P(vj) (= P(v l+ \)). But then S cannot be used further 
to create new derivations, which means that it would have no children in the forest, giving a contra¬ 
diction. 

Hence we have u t < u t+ \ for all i. Consider the derivation corresponding to the generalized 
configuration P(vi+ 1 ). The root N has a descendent N' labeled with atom P(o,)- Then by Lemma 58, 
z/j + i has strictly more infinite coordinates than u, . This holds for each i, which gives us a contradiction. 

□ 

11.3 Adding Standard +-Push Clauses to AC Automata 

Having studied the EVASS, now we ready to deal with standard +-push clauses in automata 
modulo AC. 
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11.3.1 Constant-Only AC Automata with Standard +-Push Clauses 

First of all we deal with the simplest of these automata, namely the constant-only AC automata 
extended by adding standard +-push clauses. From the discussion at the beginning of Section 11.2, 
this translation is almost straight-forward, except for a minor problem. Since we are working modulo 
AC instead of ACU, we arc not allowed to derive the empty summation in our automata, whereas in 
the extended VASS’s we arc allowed to derive the tuple (0,..., 0). Hence the translation requires some 
care. We assume that the constants in our signature arc a i,..., a p so that the EVASS we will construct 
work on tuples in N p . 

Lemma 59 Let A be an automata modulo AC containing clauses of constant-only AC automata, as 
well as standard +-push clauses. Then we can effectively construct an extended VASS V, such that for 
every state P in the automaton A : 

(i) If the atom P(fff p i=l ritaf) is derivable in automaton A/AC then the configuration P(n i,..., n p ) 
is derivable in EVASS V. 

(ii) If the configuration P{yi \,..., n p ) is derivable in EVASS V then (m,..., n p ) > 0 and the atom 
P(52i =l n i a i) ' s derivable in automaton A/AC. 

Proof: The states of V arc of the form P, P aux • ,..., P p ux where P is a state in A. We add 

clauses to V corresponding to clauses of A. For +-pop clause Pix + y) <= P 1 (x) A Pri'lj) £ A, we 
add the addition clause P(x + y) <t= Pi(x) A Pfiy) in V. For epsilon clauses P(x) <t= Pi(x) £ A we 
add the constant-addition clause P(x + (0,..., 0)) <t= Pi(x) in V. For base clauses P(af £ A we 
add the constant clause P(0,... , 0.1,0..... 0) where the ‘1’ is present in the ith coordinate. 

Finally we come to the interesting case, namely that of a standard +-push clause of the form 
P(x) <t= Q(x + y) £ A. For 1 < i < p define u t = (0,..., 0,1,0,... , 0) and if = (0,... , 0, 
—1,0,... , 0) where the ‘1’ and ‘—1’ have been put in the ith positions in and if respectively. For 
1 < i < p we add the clauses 

Qauxfc T t'j) Q{pf) 

Qaux( x "F A) A= Q aux(%) 

Qauxi x A u i) A= Qaux ( x ) 

p (x + Vi) <= Q l aux (x ) 

to V. The translation of the +-pop clauses, epsilon clauses and base clauses arc self evident. Now we 
explain the translation of the standard +-push clause P(x) <= Q(x + y) £ A. This clause intuitively 
tells us to go from state Q to state P by deleting as many (but at least one) constants as we like, 
provided at least one constant is left in the term. The clauses <= Q(x) for 1 < i < p allow 

us to go from Q to Q au x by deleting exactly one constant a t for some 1 < i < p, but in the process 
we may get the term 0 corresponding to the tuple (0,..., 0). The clauses (f i UX (x + if) x= Q aux (x) 
for 1 < i < p allow us to delete as many constants as we like, but remaining in the state Q au x- I n this 
process we may also get the term 0 corresponding to the tuple (0,..., 0). It is clear that now we just 
need to accept all the non-zero tuples of Q aux at P. For 1 < * < p the clause (ffi xx [x+if ) Q a ux ( x ) 
allows us to go from Q aux to Q l aux by decreasing the ?th coordinate by 1. This step is possible only if 
ith coordinate of the concerned tuple in Q aU x is strictly positive. Now to get back the original tuple of 
aux we have the clause P(x + uf <= Q‘ aux (x) which allows us to go from Q l aux to Q„ux by increasing 
the ith coordinate by 1. □ 

This gives us a procedure for eliminating standard +-push clauses. For that we first we make the 
following observation : 
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Remark 2 Given any u G (NUoo) p , the set L < (p) = {z/ G N p | (0,... , 0) < u' < u} is semilinear. 
We will use L'^u) to denote the corresponding set AC ({^^ =1 | (ni, n p ) G L < (u)}). 

Lemma 60 Given an automaton A modulo AC containing constant-only AC automata clauses and 
standard +-push clauses, we can compute a constant-only AC automaton B such that for every state 
P in automaton A, Cp{A/ AC) = CplB /AC). 

Proof: Using Lemma 59 we construct an EVASS V such that each state P in A accepts exactly the 
terms n,a, such that P(n \,..., n p ) is derivable in V. From Theorems 39 and 40, if P(x) <= 
Q(x + y) is any clause then the set of terms accepted at P using this clause is = U L'Av) 
where the union is taken for all v such that there is some covering derivation for V, with root labeled 
by generalized configuration Q(u). From Theorem 41, since the number of such As is finite, l/i is 
semilinear, and can be accepted at a new state Q 1 using other new states, and only clauses of constant- 
only AC automata. Then we can replace the clause P(x) A= Q(x + y) by the clause P(x) A= Q'(x). 
□ 

However note that while in the ACU case we are able to do this in polynomial time, in the AC case 
this algorithm is non-primitive recursive because the Karp-Miller construction (even for VASS) is not 
primitive recursive. The presence of standard +-push clauses is the only case in this thesis where the 
algorithms for automata modulo AC and ACU have such widely different complexities. Still we don’t 
know of any case where the decidability question has different answers for automata modulo AC and 
ACU. We conclude that 

Theorem 42 The automata modulo AC containing constant-only AC automata clauses and standard 
+-push clauses accept exactly those semilinear sets which don’t contain the term 0. 


11.3.2 Reusing AC Derivations with Standard +-Push Clauses 

We now prove an equivalent of Lemmas 21 and 23 which allow us to reuse ACU and A CUD deri¬ 
vations. We show how to reuse AC derivations which also involve standard +-push clauses. However 
the statement of result has a slightly different form which is more suited for the AC case. Given a AC 
derivation we show that some clause is a consequence of the clauses used in the derivation. Such a 
clause can then be used to derive new atoms. Hence the result indirectly shows what new atoms can 
be derived by reusing a given derivation. 


Lemma 61 Let S be a set of epsilon clauses (3.3), +-pop clauses (3.6), and standard +-push clauses 
(3.15). Let it be a derivation of an atom P(t) of the form 

7T1 ttn 


TT = Pl{t\) ... P n {t n ) 

W) 


(5/AC) 


where each n ly uses a free pop clauses as the last clause (in particular ti is functional). Then for 
some 1 < i\ < ... < ik < n 


(i) t —AC Ui + • • • + ti k 

(ii) S j —ac P{,Xii + • • • + xi k ) "4= -Pi(xi) A ... A P n (x n ). 

(iii) If no standard +-push clause (3.15) is in S then k = n, i.e. t. =ac ti + ... + t n . 


Proof: We do induction on the size of the derivation it. We have the following cases : 



1 1.3. ADDING STANDARD +-PUSH CLAUSES TO AC AUTOMATA 


169 


(i) n = 1 and it = tt\ . Clearly t = t\ and P = P\. Trivially we have |=ac Pi(xi) <= P\(x\). 

(ii) 


7Tl 


TTm 


^m+1 


7Tr 


7T = 


Pl(tl) ■■■ P ’”A] (S/AC) Pm+l(Wl> L M(S/ AC) 


P'(f 


P"(t") 


P(t) 


(P(x + y) <= P'(x) A P"(y)/AC) 


Clearly t =/>,£ t' + t". By induction hypothesis we have 1 < i\ < ... < i p < m, t' =ac 
U ! + ••• + U p , m + 1 < ip+i < ■ ■ ■ < ik < ti, t" =ac Up +1 + • • • + ti k , 

s |=AC P'C^ii + • • • + X ip ) < 1 = Pi(si) A ... A P m (x m ), (*) 

-S' |=ac P"{x ip+1 + ... + x ik ) <= P m+ i(x m +i) A ... A p n (x n ). (**) 

Hence we have 1 < ii < ... < ik < n and t =ac t' + =AC U i + ... + U k . Since 

P(x + y) <t= P\x),P"(y) G 5, from (*) and (**) we have 5' |=ac P(^u + • • • + x ik ) <= 
Pi(xi),..., P n (x n ). Also if no standard +-push clause (3.15) is in 5 then t' =ac H +... + t TO 
and t” =ac Wi + • • • + t n so that t = AC h + ... + t n . 


n = Pl(tl)p,,(t,l) (s/ac) 


p'(t; 

"p(0 


(P(s) <= P'(x)/AC) 


Cleaidy t =ac By induction hypothesis we have 1 < ii < ... < ifc < ra such that t =ac Ai + 
.. . + and S |=ac P' (x h + ... + x ik ) 4= Pl(xi) A... AP k (x k ). Since P(x) <1= P'(x) G 5' 
we have 5' |=ac P(xji + ... + Xi k ) <= P\ {x\) A ... A Pfc(xfc). Also, if no standai'd +-push 
clause (3.15) is in S' then by induction hypothesis we have f =ac fi + ... + t n . 


Pi(h 


Pnitr, 


7r = 


P(f) 


(5/ AC) 

(P(x) <1= P'(x + y)/AC) 


By induction hypothesis we have 1 < j\ < ... < j p < n such that t' =ac tji + • • • + tj p , and 
s |=AC P'{xj 1 + ... + Xj p ) 4= Pi(xi) A ... A P n (x n ). (*) 

From the structure of the derivation, and since each A is functional, we have 1 < i\ < ■ ■ ■ < 
i k <n such that {ii,..., i k } £ {j,... .,j p } and t = AC t h + ... + t ik . Also P(x) <1= P'(x + 
y) € S, hence from (*) we have S |=ac P(x u + ... + Xi J <t= Pl(xi) A ... A P n (x n ). 

□ 

Note that the corresponding Lemmas 21, 22 and 23 for reusing derivations, do not have the condi¬ 
tion that the last clause used by each 7 r should be a free pop clause. This condition is needed in 
Lemma 61 because of the standai'd +-push clauses (see (iv) in the proof of the Lemma). 

We now define equivalent notion of functional support in the presence of standai'd +-push clauses 
for the AC case : 


Definition 16 (AC-Standard Functional Support) Let n be a derivation modulo AC in an automa¬ 
ton A containing one-way AC automata clauses as well as standard -\--push clauses. If 
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TTl 


7Trj 


7T 


= Pi(h 


Pn(t r , 


P(t) 


{Aeq/ AC) 


where each tt, u.vev afree pop clause at the root. Then the (unordered) list of atoms ... . P n (t r 

is called the AC-standard functional support of tt. 


From Lemma 61 we also have some 1 <z j < ... < A < n such that 

(i) t =A€ U !+••• + U k 

(ii) S |=ac P{xh + • • • + Xi k ) <= Pi(x\) A ... A P n (x n ) where S is the set of clauses used in n. 

(iii) If no standard +-push clause (3.15) is in S then k = n, i.e. t =ac H + ... + t n . 

As for the ACU-functional supports and A CUD functional supports, we observe that AC-standard 
functional support is uniquely defined (upto AC equivalence on terms) for derivations modulo AC in 
automata modulo AC which contain clauses of one-way AC automata as well as standard +-push 
clauses. 

We also have the following result : 

Corollary 4 Let S be a set of + -pop clauses (3.6), epsilon clauses (3.3) and standard +-push clauses 
(3.15). Then given a clause C of the form 


C = P{x h + ... + x ik ) <= Pi(xi) A ... A P n (x n ) 

where x\,..., x n are distinct variables, and 1 < i\ < ... < ik < n, it is decidable whether 
S |=ac C. 

Proof: Introduce constants a±,..., a n . Define automaton A = S U { Pfa,) 1 < i < n}. We claim 
that 

S |=ac C iff P(ai 1 + ... + a,i k ) is derivable in A/AC (*) 

The latter is decidable because from Theorem 42 A accepts a semi linear set. 

Now we prove claim (*). If S |=ac C then A |=ac C. Also A |=ac b\(a t ) for 1 < i < n. Hence 
A |=ac P(ajj + .. .+cij fc ). Conversely suppose A |=ac P{di i+- • -+ai k ). The derivation n of P(aq + 

.. .+ai k ) in A/AC has a functional support of the form P n (a n ),..., P J} (a n ),..., P 3l {(ip ),..., Pjfajf) 

- --V- ' W—-^•' 

ni times ni times 

where 1 < ji < ■ ■ ■ < ji < n and m > 1 for 1 < i < l.. We have 


TT = Pjl(o-jri) ••• Pjl( a jl) ••• Pjli a jl ) ••• Pjli a jl ) / 

P( a ii + ■ ■ ■ + a ik ) 

By Lemma 61 we have {i \,..., ?'/,.} C {ji,... An} and S |=ac C\ where 

Ci = P(x h + • • • + Xi k ) <^= Pj 3 (xj t ) A Pj 3 (; y \) A ... A P 3l (y 1 1 ) 

A • • • A Pji (xi) A P h (yf) A ... A P jt (j/ { n,_1 ) 

The variables in C\ have been suitably named according to our convenience. Let a be a substitution 
which maps each y? to x* for 1 < i < l, 1 < p < rii — 1 and is the identity function on other variables. 
Since S |=ac C\ we have S |=ac C\o. We have C\a = P(xi 1 + • ■ -Exik) 5= Pj 1 (xj 1 ) A.. -A Pjfxi). 
Also since {ji, .. .,j N } C ,n} we have |= Pi{xf) A ... A P n (x n ) => P 3l (x 3l ') A ... A Pjfxi). 
Hence we get S |=ac C. This proves claim (*). □ 
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11.3.3 Elimination of Standard + Push Clauses 

We now show that adding standard + push clauses does not increase expressiveness of one-way 
automata. We have already proved this result in Section 11.3.1 for the case where all free symbols arc 
constants, i.e. we have shown that the extension of constant-only AC automata by adding standard 
-(--push clauses arc as expressive as constant-only AC automata. We now consider the general case 
where we have free symbols of arbitrary arity. This case has already been considered for the ACU 
case in Section 11.1 where we showed standard -(--push clauses can be eliminated in polynomial time 
from automata modulo ACU containing one-way ACU automata clauses as well as standard +-push 
clauses. We now show the same result, although we don’t provide a polynomial time algorithm. 

We let S be a signature such that + £ S and 0, — / S. Let A be an automaton modulo ACU 
containing one-way AC automata clauses and standard +-push clauses. A is assumed to be an auto¬ 
maton on signature S with predicates from P. We will construct an equivalent one-way AC automaton 
C which also contain extended epsilon clauses. However we know that extended epsilon clauses don’t 
increase expressiveness of one-way equational tree automata. 

Introduce a set A = {ap \ P <G P} of new constants. For each S C P define automaton Bs = 
A eq U { P{ap) | P £ S}. Bs is a constant-only AC automaton with standard +-push clauses. Hence 
Cp(Bs/ AC) is a semi linear set for each P £ P. Therefore we can construct a constant-only AC 
automaton Ap,s with final state Fp.s such that £p ps (Ap,s/ AC) = Cp(Bs/ AC). We assume that 
the automata Up.s’s are all based on mutually disjoint sets of fresh states. 

The required one-way automaton C consists of 

1. the extended epsilon clause P(x) -4= Pp„s(x) A Q( x Q ) for each P £ P, S C P. 

2. clauses of Ap s en for each P £ P, S C P. 

3. clause Q(x) -4= R{x) for each constant clause Q(ap ) in some Ap. 

4. free pop clauses P{f{x i,..., x n )) <1= Pi(xi ),..., P n (x n ) of A. 

Lemma 62 If P(t) is derivable in A/M3 then it is derivable in C/AC. 

Proof: We do induction on the size of the derivation it of of Pit) in A/AC. Let it have AC-standard 
functional support Pi(fi),... , P n (t n ). We have 


7T = Pi(tj) ... P n (t n ) 

m 


(Aeg/AC) 


From Lemma 61 we have 1 < i\ < ... < i k < n such that t =ac Ui + • • • + U k an d A eq |=ac 
P( x il + ... + Xi J <= Pi(xi) A ... A P n (x n ). Let S = {Pi,..., P n }. Since A eq = B Seq hence 

Bseq Nag P{x h + . . . + Xi J <= Pl(*l) A ... A P n {x n ). (*) 

Also the atoms Pi(ap 1 ),... , P„(ap n ) arc derivable in Bs/ AC. Hence from (*), P(ap ii + ... + ap if ) 
is derivable in £>s/AC. Hence Fp.siop^ + ... + is derivable in Ap,s/ AC. Since Ap,s has 
no clause standard -(--push (3.14), by Lemma 61 this derivation has a functional support of the form 
Ri(ap h ),... ,Rk(ap ik ) and A P) s eq Nag Pp,sOt + • • • + x k ) 4= Pi(xi) A ... A R k (x k ). Since 
Ap,s eq C C eq hence 

C eq |=ac Fp tS (x i + ... + x k ) <= Pi(xi) A ... A R k {x k ). (**) 

Also since the clause Rj(ap i .) £ Ap.s hence Rj(x) -4= Pij^x) £ C for 1 < j < k. 
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For 1 < i < n since tj is functional we have some free f, of arity k, and terms tj,..., t l f such that 
ti = ..., tj'). Since Pj(tj) is in the functional support of the derivation of Pit). hence there is 

some clause Pfffx i,..., x ki )) 4= P/(xi),..., P^(x ki ) such that for 1 < j < k it the atom P/(^) 
is derivable in A/AC using a derivation strictly smaller than tt. By induction hypothesis P- (tj) is 
derivable in C/AC for 1 < j < Hence for 1 < i < n Pi(tj) is derivable in C/AC using the clause 
Pi(fi(x i ,... ,x ki )) -4= P}(x i) A ... A P^(x ki ). Hence for 1 < j < k, Rj(U is derivable in C/AC 
using the clause Rj(x ) 4= Pi j {x). 

Hence from (**), Fp,s{Ui + •. -+U k ) ( or Fp,s(t)) i s derivable in C/AC. Since S = {Pi,..., P n } 
hence the extended epsilon clause P(x) 4= Fp t s(x) A P\(x\) A ... A P n (x n ) G C. Also the atoms 
p (f i),..., P n (t n ) arc derivable in C/AC. Hence using the extended epsilon clause, P(t) is derivable 
inC/AC. □ 

Lemma 63 For PgP, if P(t) is derivable in C/AC then it is derivable in A/ AC. 

Proof: We do induction on the size of the derivation it of Pit) in C/AC. From examination of the 
clauses in C, we have the following two cases : 

(i) 


7T = Pi(p) ... P n (t n ) 

m 


(P(f(x i, ■ ■ -,x n )) 4= Pi(xi) A ... A P n (x n )/ AC) 


where / is free. Clearly t =ec f(t t,..., t n ). By induction hypothesis, the atoms P\ (t\ ),..., P n {t n ) 
arc derivable in A/AC. Hence using the same free pop clause the atom Pit) is derivable in 

A/AC. 


* ~ Fp S (t) ( Q{tQ))Q£S 

Tv) 


(P(x) ^ F P> s(x) A A QeS Q(x Q )/AC) 


By induction hypothesis 

Q(tQ) is derivable in A/AC for Q 6 S. (*) 

Let t =ac fi + ... + t n where each ti is functional. Since C has no standard +-push clauses, by 
examination of the clauses in C, n' has functional support of the form Il \ (t\ )...., R n (t n ) and 
we have 


7Tl 




7r 


/ 


Pi (H) 

—— (Qi(*) <= Ri(x)/AC) 
Fp,s(t) 


R-n{tr 


Qnifr 


( Qn(x ) 4= R n (x)/ AC) 
{Ap,s eq /A C) 


where each tt, uses a free pop clause at the root. By induction hypothesis lift,) is derivable 
in A/AC for 1 < i < n. For 1 < i < n, since the clause Qfx) 4= Ri(x) € C, hence the 
clause Qi(ap t ) £ Ap t s- Also from Lemma 61 and the structure of tt' we have A p.s fyi |=AC 
F P ,s(x i + • • • + x n ) 4= Q i(xi) A ... A Q n (x n ). Hence the atom F P>s (a Rl + ... + a Rn ) is 
derivable in Ap,s/ AC. Hence P(a Rl + ... + a Rn ) is derivable in Bs/ AC. By Lemma 61, this 
derivation has a functional support of the form Pi(ap 1 ), ..., P n (ap n ). ()\ (uq ] ),..., Q p {clq p ) 
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ip — 0) Bseq |—ac P{x\ A • • • ~F x n ) 4 = Ai(xi),... ,P n (x n ) A Qi(?/i)> • • •, Q P (y P )■ By 

definition B eq = A eq , hence 

A eq |=AC P(x 1 + ... + x n ) <= Pi(xi),... ,P n {x n ) A Qi{yi),... ,Q p {y p ). (**) 
For 1 < i < p since the clause Qi(aQ t ) £ Bs, hence Q t £ S. Hence from (*) we have a 
term t,Q t such that Qi(tQ i ) is derivable in A/AC. So from (**), P(ti + ... + t n ) (or P(t)) is 
derivable in A/AC. 

□ 

If P is the final state of A then we let P be the final state of C. From Lemmas 62 and 63, 
Cp(C/ AC) = Cp(A/AC). We conclude that 

Theorem 43 One-way AC tree automata extended by adding standard + push clauses can be effec¬ 
tively reduced to equivalent one-way AC tree automata. 

11.3.4 Elimination of Free Push Clauses 

We have seen that we can add standard + push clauses to one-way AC automata without increa¬ 
sing their expressiveness. Now we show that we can further add free push clauses without increasing 
expressiveness, by showing how to eliminate the free push clauses. In other words this also means that 
we can add standard +-push clauses to two-way AC tree automata without increasing their expressi¬ 
veness. 

To eliminate the free push clauses from our automata, we use a saturation procedure that iteratively 
adds new epsilon clauses so that finally the free push clauses become redundant. 

We first define one-step of the saturation procedure. Let A be an automaton modulo AC containing 
two-way AC automata clauses and standard +-push clauses. We assume that the predicates are from 
the set P. Let A s td be the part of A without the free push clauses. (A s td is contains one-way AC 
automata clauses and standard +-push clauses.) Trivially A eq C A s td- 

If 

1 A has a free push clause R(xi) -4= P(f(x i ,..., x n )), P± (x^) A .. .A P ni (xi 1 )... /\P£(xi k ) A 
•••A P n ffx ik ) 

2 A has a free pop clause Q(f(x i,... ,x n )) <4= Q\(x \),..., Q n (x n ) 

3 for some clause C = P{x) <4= Q(x),Ri(xi),..., R p {x p ) (p > 0) we have A eq |=ac C 

4 for each j £ {1,... ,p} there is some Sj such that Rj accepts Sj in A s td/AC 

5 for each j £ {1,... ,/>:: } there is some t %j such that each of the states Q tj . Pj,, P” 3 accept 

Uj in Astd- 

6 for each j £ {1 ,..., n} \ {i, i \,..., iff\ there is some tj such that Q 3 accepts tj in A s td/ AC. 

then we write A > A U { R(x t ) <^= }, which is one step of our saturation procedure. Some 

remarks arc necessary. Firstly in step (3), it is sufficient to consider the (finitely many) clauses in 
which R\,... ,R p are mutually distinct. This is because given a clause of the form G\ = P(x) A= 
Q(x) A A R\(y \)... A Rffyi 1 ) A ... A R p (x p ) A R p (y p )... A R p {y p p ) let C 2 = P{x) 4= 

Q(x) ARi(x\) A... ARp(x p ). It is easy to check that C\ |= C 2 and C 2 \= C\. Secondly the condition 
A eq |=ac C of step (3) can be decided using Corollary 4. Thirdly from Theorems 20 and 43 emptiness 
and intersection emptiness problems arc decidable for one-way AC tree automata extended by adding 
standard +-push clauses. Hence we can effectively check whether A > A U {R(xi) -4= Qi(xi)}. 

This saturation step is harmless : 
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Lemma 64 If A > A U { R(xt ) 4= Qj(xj)} as in the definition above, then any atom derivable in 
A U {R(xi) 4= Qi(xi)} is also derivable in A. 

Proof: It is sufficient to show that R(t/) is derivable in A/Ml assuming Qf tf) is derivable in A/Ml. 
For j £ {1, ... ,n}\ {i} let tj be as above. For j £ {1,... ,p} let Sj be as above. ..., t n )) is 

derivable in .4/AC using the free pop clause. P(f(t i,..., t n )) is derivable in A/Ml using the clause 
P{x) 4= Q(x), Ri(xi) A ... A Rp(x p ). R(ti) is derivable using the free push clause. □ 

The converse is trivially true. Hence A and A U { Il(xj) 4= Qi(xi)} have the same set of derivable 
atoms modulo AC. 

Given a two-way automaton A our saturation procedure consists of (don’t care non-deterministically) 
generating a sequence Aq(= A) > .4i > Ai— until non new clauses can be added. This always ter¬ 
minates because there arc only a finite number of epsilon clauses possible. Let the final (saturated) 
automaton be B. Then we remove the free push clauses from B to get B st d■ This step is also harmless : 

Lemma 65 If any atom is derivable in B /AC then it is derivable in B s td/Ml. 

Proof: It is sufficient to show that a derivation in B which uses a free push clause only at the root and 
nowhere else, can be converted to a derivation in B s td- Suppose we have a derivation of Hit,) using 
the free push clause R{x/) 4= P(/(xi,..., x n ) A Pj^xq) A ... A Pf 1 (xi 1 ) A ... A P/(xj fc ) A ... A 
k (x lk ) as the last clause. Hence the atoms P(/(t \,..., i n )), T\ (L,),..., Pk{ti k ) are derivable in 
B s td/Ml. From Lemma 61 the derivation of P(f(t\,..., t n )) has a functional support of the form 
Q{f i/i > • • • ,tn)),Ri{si), ■ ■ • 5 Rp{s p ) (p ^ 0 ) such that B e q |=ac P{x) "4= Q{x ), Pi(xi),..., Rp(x p ). 
The derivation of .., t n )) uses some clause Q{f(x i,... ,x n )) 4= Qi(xi),... , Q p (x p ) as 

the last clause. Hence Qi(fi),..., Qn(tn) are derivable in Bstd/Ml. Then we have that B [> B U 
{R(xi) 4= Qi(xi)}. But B is saturated. Hence P(xj) 4= Qi(xi) £ B. Also Qi(U ) is derivable in 
B s td/M!. Hence P(t,) is derivable in B s td/Ml. □ 

The converse is trivially true. Hence the automaton A is equivalent to the automaton B s td■ Hence 
free push clauses can be effectively eliminated from a two-way AC automaton with standard +- 
push clauses, to get a one-way AC automaton with standard +-push clauses. We have also seen that 
standard +-push clauses don’t increase the expressiveness of one-way AC automata. We conclude 
that 

Theorem 44 Two-way AC tree automata extended by adding standard -{--push clauses have the same 
expressiveness as one-way AC automata. 

11.3.5 Two-Way ACU Automata with Standard +-Push Clauses 

We saw above that two-way AC automata extended by adding standard +-push clauses are as 
expressive as one-way AC automata. To do this, we used two results : firstly we showed that standard 
+-push clauses can be eliminated from one-way AC automata extended by adding standard +-push 
clauses. Secondly we showed we showed how free push clauses can be eliminated from two-way AC 
automata extended by adding standard +-push clauses. 

Now as far as the ACU case is concerned, we have already shown the first of the two results : 
standard +-push clauses can be eliminated from one-way ACU automata extended by adding standard 
-f-push clauses. For this we were actually able to give a polynomial time algorithm without taking 
a detour through EVASS, unlike in the AC case. However we have not yet looked at the second 
problem, that of two-way ACU automata with standard +-push clauses. However we observe that 
the construction and proofs of Section 11.3.4 can be easily modified to work for the ACU case. The 
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presence or absence of an identity element does not play a crucial role in this translation. The only 
new ingredients to the proof arc the notion of AC-standard functional support, and Lemma 61 which 
allows us to reuse parts of derivations of a one-way AC automata extended by adding standard +-push 
clauses. It should be clear - that both of them have their counterparts in the ACU case, i.e. we can define 
a notion of ACU-standard functional support which takes into account standard +-push clauses, and 
we can also prove a result allowing us to reuse parts of ACU derivations involving standard +-push 
clauses. Without repeating the obvious constructions and proofs we merely state the result : 

Theorem 45 Two-way ACU tree automata extended by adding standard -\~push clauses have the 
same expressiveness as one-way ACU automata. In particular this class of automata accepts the 
same class of languages as one-way ACU automata. 

Also observe that the elimination of free push clauses in Section 11.3.4 does not involve taking 
any detours through EVASS. This means that to translate an automaton modulo ACU containing two- 
way automata clauses and standard +-push clauses to one-way ACU automata does not require the 
detours through EVASS which were used in the AC case. In particular this can be done in exponential 
time unlike the algorithm for the AC case which is not primitive recursive. 


11.4 +-Push Clauses in AC and ACU Cases 

We have seen that standard +-push clauses can be added to one-way and two-way AC and ACU 
automata without increasing their expressiveness. We started this Chapter with a discussion on +-push 
clauses, which are more powerful than standard +-push clauses, and we showed that these clauses can 
be trivially eliminated from ACUX and ACUM automata. However we don’t have a similar result in 
the AC or ACU case. In fact the decidability of question for automata modulo AC and ACU with 
+-push clauses is still open. 

Even in the very restricted case where all free symbols are constants, we don’t know whether 
the emptiness of automata modulo AC or ACU containing +-push clauses is decidable. There is no 
obvious translation from such automata to EVASS, unlike in the case of standard +-push clauses 
where such a translation was possible. However it is possible to translate these automata to a further 
extension of EVASS with the following new kind of clauses : 

P(x - y) Pi{x) A P 2 {y) 

Call these new clauses subtraction clauses. The semantics of this clause is : “if configurations 
P\ (v\) and f 2 ( ’A) are reachable and u\ — u 2 > 6 then the configuration P(v\ — u 2 ) is reachable.” 
In the presence of such clauses, the constant-addition clauses become redundant since they can be 
encoded using addition and subtraction clauses. Hence we are left with the following set of clauses 

P{u) where v e N p 
P(x + y) 4= Pi(x) A P 2 {y) 

P(x - y) 4= Pi(x) A P 2 (y) 

With such a set of clauses, it can be seen that these EVASS with subtraction clauses are exactly 
constant-only ACU automata extended by adding +-push clauses. (The translation of automata mo¬ 
dulo AC requires some care to avoid deriving the zero tuples.) However we don’t know whether the 
construction of Karp-Miller trees can be further extended to deal with subtraction clauses. 
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While the questions whether emptiness and intersection emptiness of constant-only ACU auto¬ 
mata is decidable is open, we do know that decidability of emptiness problem implies the decidability 
of intersection emptiness problem for such automata. This is because given an set V of EVASS V 
clauses and subtraction clauses, if we want to know whether two states Pi and P 2 accept at least one 
common tuple, it suffices to add the clauses : 

Pz(x -y)<= Pi(x) A P 2 (y) 

Po((0,...,0)) 

P 0 ~y)<= Po(x) A P 3 (y) 

Then there is some common tuple accepted at both Pi and P 2 iff there is some tuple accepted at P. 
This result further shows the power of subtraction clauses which allows us to reduce the intersection- 
emptiness problem to emptiness problem, implying that the decidability proofs, if any exist, in this 
case would not be simple. 

We also don’t know whether adding these new clauses to EVASS strictly increases the expressivess 
of EVASS. Similarly while EVASS arc more expressive than VASS, we don’t know whether they arc 
strictly more expressive. 



Chapitre 12 

Conclusion 


Nous avons etudie les automates d’arbres bidirectionnels modulo plusieurs variantes de la theorie 
de l’associativite et commutativite. Les automates bidirectionnels nous donnent un mecanisme appro- 
prie pour la modelisation des protocoles cryptographiques. Notre motivation en ce qui concerne ces 
vari antes equationnelles des automates d’arbres est de pouvoir modeliser des protocoles cryptogra¬ 
phiques qui utilisent des primitives cryptographiques non parfaites. Les theories equationnelles sont 
utilisees pour modeliser les proprietes algebriques de ces primitives. Ce travail est la premiere etude 
generate des automates d’arbres equationnels unidirectionnels et bidirectionnels pour les theories AC 
et ses variantes. Alors qu’on a des resultats connus dans le cas de AC unidirectionnel, les extensions 
aux autres theories associatives et commutatives, conime la theorie du ou exclusif ou la theorie des 
groupes abeliens, n’ont jamais ete considerees. Dans le cas bidirectionnel, il ne semble pas y avoir eu 
de publications etudiant les proprietes de decidabilite ou de cloture en presence de theories equation¬ 
nelles. Les theories equationnelles que nous traitons sont AC (associativite et commutativite de +), 
ACU (AC avec unite 0 de l’operation +), AOIJX (la theorie du ou exclusif), ACUX n (une generali¬ 
sation de la theorie du ou exclusif, avec la regie d’annullation generalisee nx = 0 ou n > 2), ACUM 
(la theorie des groupes abeliens), A CUB (la theorie d’un symbole — distributif), et ACUI (ACU plus 
l’axiome x + x = x, e’est-a-dire la theorie de l’idempotence). 

Indues dans cette liste sont les theories AC, ACU, la theorie du ou exclusif et la theorie des 
groupes abeliens, qui figurent souvent en verification de protocoles cryptographiques. Pour illustrer 
l’utilite des automates d’arbres equationnels en modelisation de protocoles cryptographiques, nous 
montrons la modelisation du protocole de Diffie-Hellman en groupe par des fragments decidables de 
nos automates d’arbres modulo les theories ACU et ACUM (la theorie de groupes abeliens). Notons 
que nous etudions aussi les theories AC et ACUX (la theorie d’ou exclusif) qui figurent souvent dans 
les protocoles cryptographiques. 

Le cceur de cette these porte sur 1'etude des proprietes algorithmiques des automates equation¬ 
nels. Nous etudions si la vacuite de langages acceptes par nos automates d’arbres equationnels est 
decidable, si ces langages sont clos par les operations booleennes, et si les variantes bidirectionnelles 
des automates d’arbres equationnels peuvent etre reduits aux automates d’arbres equationnels unidi¬ 
rectionnels. 

Nous avons d’abord montre que l’ajout de l’alternance aux automates d’arbres equationnels uni¬ 
directionnels entraine Lindecidabilite du vide, dans les cas des theories AC, ACU, A CUB et ACUM. 
En particulier, les automates d’arbres equationnels ont des proprietes remarquablement differentes de 
celles des automates d’arbres non equationnels oil l’alternance est essentiellement benigne. Ceci im- 
plique aussi que les automates bidirectionnels generaux modulo ces theories ont un probleme du vide 
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indecidable. 

Du cote positif, nous avons montre que le vide des automates d’arbres equationnels unidirection- 
nels est decidable pour une theorie arbitraire. Nous avons aussi montre que les automates “constant- 
only” modulo les theories AC, ACU et ACUB acceptent les ensembles semilineaires modulo des 
codages. 

En ce qui concerne les proprietes de cloture des automates equationnels unidirectionnels, nous 
avons montre que les automates unidirectionnels modulo toutes les theories ci-dessus sont clos par 
union et intersection. A l’oppose, les resultats de complementation sont remarquablement differents. 
Nous avons montre alors que les automates d’arbres unidirectionnels modulo les theories AC, ACU, 
ACUB sont clos par complementaire, ceux modulo les theories ACUX, ACUX n , ACUM et ACUI 
ne le sont pas. Nous avons donne des contre-exemples dans ces derniers cas. Ces resultats suggerent 
l’equivalence entre la linearite de la theorie equationnelle et la cloture par complementation des auto¬ 
mates d’arbres equationnels unidirectionnels. Mais nous avons vu que cette equivalence etait fausse 
en general. La cloture par intersection et la decidabilite du vide impliquent en plus la decidabilite du 
vide d’intersection et de l’appartenance. 

A cause des resultats d’indecidabilite mentionnes ci-dessus, nous avons du identifier une sous- 
classe appropriee des automates d’arbres equationnels bidirectionnels generaux, que nous avons ap- 
peles “automates d’arbres equationnels bidirectionnels”. Mais cette classe est assez generate pour la 
modelisation de protocoles cryptographiques, ce qui est illustre par le fait que la modelisation du 
protocole de Diffie-Hellman en groupe mentionne ci-dessus se fait de fagon exacte dans cette classe. 
Nous avons montre que modulo toutes les theories mentionnees ci-dessus sauf ACUI, ces automates 
bidirectionnels peuvent etre effectivement reduits aux automates unidirectionnels modulo les memes 
theories. (Le cas de ACUI est ouvert.) Par consequent, les resultats de decidabilite et de cloture par 
operatons booleennes des automates unidirectionnels se generalisent a ces automates bidirectionnels. 
En particular, le probleme du vide d'intersection de ces automates bidirectionnels est decidable, ce 
dont nous avons besoin en verification de protocoles cryptographiques, par exemple, dans la modeli¬ 
sation du protocole de Diffie-Hellman en groupe. 

Les clauses push considerees dans ces automates bidirectionnels ne font apparaitre que des sym- 
boles de fonction non equationnels (e’est-a-dire ne contenant pas le symbole +). Ensuite nous avons 
etudie l’effet de l’ajout de clauses push contenant +. Pour traiter les clauses +-push standard, nous 
avons du definir une extension des systemes d'addition de vecteurs a etats (SAVE, ou VASS en an¬ 
glais) [Reu89], que nous avons appeles VASS etendus (EVASS). Nous avons montre que la construc¬ 
tion d’arbres de Karp-Miller pour les VASS, definis de sorte a calculer les limites de configurations 
accessibles des VASS peut se generaliser aux EVASS. Grace a des traductions des automates conte¬ 
nant des clauses +-push standard en EVASS, nous montrons que l’on peut eliminer des clauses +-push 
standard des automates modulo AC. Cependant cet algorithme n’est pas primitif recursif, parcc que 
la construction de Karp et Miller (meme pour les VASS) ne l’est pas. Cependant dans le cas ACU (a 
l’oppose de AC), nous avons, de fagon peut-etre suiprenante, pu eviter le pasaage par les EVASS. Par 
consequent nous avons un algorithme seulement exponentiel dans le cas ACU. Pour resumer, nous 
avons montre que les automates modulo AC et ACU qui contiennent des clauses d’automates bidirec¬ 
tionnels et clauses +-push standard peuvent etre effectivement reduits aux automates unidirectionnels 
modulo AC et ACU respectivement. (Dans le cas de ACUX et ACUM ces clauses peuvent etre trivia- 
lement elimines.) Nous avons montre que les clauses +-push, qui sont plus generales que les clauses 
+-push standard, sont encore triviales dans le cas de ACUX et de ACUM, mais sont difficiles dans le 
cas de AC et de ACU, pour lesquelles la question de la decidabilite est aujourd'hui encore ouverte. 
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Plusieurs problemes ont ete laisses ouverts dans cette these. Alors que nous avons montre que 
1’altemance entraine l’indecidabilite pour les theories AC, ACU, A CUD et ACUM, la question est 
ouverte pour les theories ACUX, ACUX n et ACUI. La question de savoir si les automates bidirec- 
tionnels modulo ACUI (qui codent aussi l’alternance) peuvent etre traduits dans les automates uni- 
directionnels modulo ACUI est aussi ouverte. La question de la decidabilite en presence des clauses 
+-push dans le cas de AC et de ACU est elle encore ouverte. Nous avons montre que ces derniers 
automates pouvaient se traduire en une extension des EVASS contenant des “clauses soustraction”, 
mais la question de la decidabilite de ces dernieres est ouverte, et inclut celle de l’accessibilite dans 
les reseaux de Petri. Done, dans cette these nous avons vu deux extensions successives des VASS, 
mais la question de savoir si l’une des deux ou les deux sont strictement plus expressives que les 
VASS est ouverte. De meme, alors que nous avons pu trader les clauses +-push standard dans le cas 
de ACU sans le passage par les EVASS, ce qui nous permet de rester dans le domaine des algorithmes 
exponentiels, nous ne savons pas si Ton peut faire de meme pour les automates AC. 

Finalement, une etude tine de la complexite des problemes de decision etudies dans cette these 
reste a faire, ainsi qu’une evaluation empirique de l’efficacite des algorithmes. 
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We have studied two-way equational tree automata for several valiants of the theory of asso¬ 
ciativity and commutativity. Two-way tree automata provide a suitable mechanism for modeling of 
cryptographic protocols. The motivation behind defining these equational valiants of tree automata is 
to be able to model cryptographic protocols which use non-perfect cryptographic primitives. Equatio¬ 
nal theories are used to model algebraic properties of these primitives. We believe that this work is the 
first general treatment of one-way and two-way equational tree automata for AC-like theories. While 
there are known results in the one-way AC case, the extensions to other AC theories like the theory 
of exclusive-or or that of Abelian groups have not been considered so far. In the two-way case, we 
are not aware of any previous work dealing with decidability or closure properties in the presence of 
equational theories. The equational theories we deal with are AC (associativity and commutativity of 
a + symbol), ACU (AC together with a unit 0 for the + operator), ACUX (the theory of exclusive- 
or), ACUX n (generalization of the theory of exclusive-or by the generalized cancellation rule nx = 0, 
where n > 2), ACUB (the theory of a distributive — symbol), ACUM (the theory of Abelian groups) 
and ACUI (ACU with idempotence axiom x + x = x). 

Included in this list arc the theories AC, ACU, the theory of exclusive-or and the theory Abe¬ 
lian groups, which occur often in verification of cryptographic protocols. To illustrate the use of 
equational tree automata in modeling cryptographic protocols, we show the modeling of the group 
Diffie-Hellman protocol into decidable fragments of our tree automata modulo theories ACU and 
ACUM (Abelian groups theory). Note that we also deal with the theories AC and ACUX (the theory 
of exclusive-or) which occur frequently in cryptographic protocols. 

The core of this thesis is concerned with algorithmic properties of equational tree automata. We 
study whether emptiness of languages accepted by our equational tree automata is decidable, whether 
these languages are closed under Boolean operations, and whether the two-way valiants of equational 
free automata can be reduced to one-way equational tree automata. 

We first showed that adding alternation to one-way equational free automata leads to undecidabi¬ 
lity of emptiness in theories AC, ACU A CUB and ACUM. In particular equational tree automata have 
remarkably different properties than non-equational tree automata in which alternation is harmless. 
This also means that general two-way automata modulo these theories have undecidable emptiness 
problem. 

On the positive side we showed that emptiness of one-way equational tree automata is decidable 
for an arbitrary theory. Also we showed that the constant-only automata modulo the theories AC, 
ACU and A CUB accept semi linear or Presburger-definable sets, modulo some encoding. 

Coming to closure properties of one-way equational tree automata, we showed that one-way auto¬ 
mata for all the theories above arc closed under union and intersection. On the other hand the results 
on complementation arc remarkably different. We showed that while the one-way tree automata mo¬ 
dulo the theories AC, ACU and ACUD arc closed under complementation, those modulo the theo¬ 
ries ACUX, ACUX„ , ACUM and ACUI are not closed under complementation. We gave counter¬ 
examples for the latter cases. These results suggest equivalence between lineality of the equational 
theory and closure under complementation of equational free automata. However this equivalence 
does not work for all theories. Closure under intersection and decidability of emptiness further imply 
decidability of intersection-emptiness as well as of membership test. 

Because of the undecidability results mentioned above, we identified a suitable subclass of the 
general two-way equational free automata which we called “two-way equational free automata”. This 
class is however general enough to for purposes of modeling cryptographic protocols, illustrated by 
the fact that the modeling of the group Diffie-Hellman protocol mentioned above is done using this 
class. We showed that modulo all theories mentioned above except ACUI, these two-way automata 
can be effectively reduced to one-way automata modulo the same theory. (The ACUI case is open.) As 
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a result, the results about decidability and closure under Boolean operations of one-way automata also 
generalize to these two-way automata. In particular intersection-emptiness problem for these two-way 
automata is decidable, which is what is required in verification of cryptographic protocols, e.g. in the 
modeling of the group Diffie-Hellman protocol mentioned above. 

The push clauses considered in these two-way automata involved only free functional symbols 
(i.e. they didn’t contain the symbol +). Next we looked at the effect of adding push clauses involving 
+. In order to deal with standard +-push clauses, we needed to define a extension of Vector Addition 
Systems with States (VASS) which we called Extended VASS (EVASS). We showed that the usual 
construction of the Karp-Miller frees for VASS which is used to compute limits of the reachable 
configurations, can be extended to the case of EVASS. By translating automata with standard +-push 
clauses to EVASS, we were able to show how to eliminate standard +-push clauses from AC automata. 
However this algorithm is not primitive recursive because the Karp-Miller tree construction (even for 
VASS) is not primitive recursive. However in the ACU case (as against AC case), we were surprisingly 
able to avoid the detours through EVASS. As a result we have an exponential time algorithm in the 
ACU case. To sum up, we showed that AC and ACU automata which contain two-way automata 
clauses and standard +-push clauses can be effectively reduced to one-way automata AC and ACU 
automata respectively. (In the AOLJX and ACUM cases these clauses can be trivially eliminated). We 
showed that +-push clauses, which arc more general than standard +-push clauses arc again trivial for 
the ACUX and ACUM theory, but arc difficult in the AC and ACU cases for which the decidability 
problem is open. 


Perspectives 


Several problems have been left open in this thesis. Although we have shown that alternation leads 
to undecidability for theories AC, ACU, A CUB and ACUM, the question is left open for the theories 
ACUX, ACUX n and ACUI. The question whether two-way ACUI tree automata (which also encode 
alternation) can be translated to one-way ACUI automata is also left open. The decidability problem 
in the presence of +-push clauses in the AC and ACU case has also been left open. These automata 
are shown to be translatable to an extension of EVASS with so-called subtraction clauses, however 
the decidability question for the latter is open and includes that of Petri net reachability. Hence in 
this thesis we have looked at two successive extensions of VASS, however the question whether any 
of the two is strictly more expressive than VASS is open. Also while we were able to deal with 
standard +-push clauses in the ACU case without going through EVASS, thus remaining in the realm 
of exponential algorithms, we do not know whether the same can be done for AC automata. 

Finally, it would be interesting to study the precise complexity of the decision problems studied 
in this thesis, and to evaluate the efficiency of algorithms empirically. 
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